Like many PC vendors, Asus ships computers with a utility that can download and install firmware updates. And last year hackers managed to create a version of that Asus Live Update utility with a backdoor that makes it possible to deliver malware to a user’s computer directly from Asus servers.
Security researchers at Kaspersky Lab identified the supply chain attack earlier this year, and was planning on discussing it in detail at a security conference next month, but released some information early due to reporting on the situation by Motherboard.
Asus, meanwhile, says that a fix for the problem has been released and that only a relatively small number of users were affected… although that last bit is up for debate.
Kaspersky has identified 57 thousand computers that had the backdoored version of Asus Live Update. But the company notes that the goal of the attack seems to have been to target a specific group of users based on the MAC addresses of their computers’ network adapters.
The security researchers identified more than 600 unique MAC addresses that were targeted — and that may be why Asus says “a small number of devices have been implanted with malicious code.”
But here’s the thing — Kaspersky says the number of MAC addresses targeted could be higher. And the number of computers with a backdoor in their firmware updating tool is almost certainly much higher.
Kaspersky’s 57-thousand figure is only for computers that are running Kaspersky security software. Most computers aren’t running that software, so the company estimates the real number of PCs with a backdoor could be as high as half a million.
According to Motherboard’s reporting, security company Symantec confirmed Kaspersky’s research and noted that at least 13 thousand more computers had a backdoored version of the update utility.
While some folks aren’t particularly impressed with the response from Asus, if you do have one of the company’s computers you should probably check out the Asus announcement for details on how to find out if your system is affected and/or how to make sure you have the latest (allegedly safe) version of Asus Live Update installed.