Updated on April 8: Razer released a statement with a list of additional laptop models affected by the security vulnerability. The company also clarified that the webpage it previously posted (opens in new tab) with instructions on how to download a patch applies only to models from 2016 and newer. A new tool for models from 2015 and earlier will be available "within a few weeks." Here is the full, updated list of affected Razer laptop models:
Razer Blade: RZ09-01021, RZ09-01161, RZ09-01301, RZ09-01652, RZ09-01952, RZ09-01953, RZ09-02385, RZ09-02386, RZ09-02886, RZ09-02705
Razer Blade Stealth: RZ09-01682, RZ09-01962, RZ09-01963, RZ09-01964, RZ09-02393, RZ09-02394, RZ09-02810, RZ09-02812
Razer Blade Pro: RZ09-0071, RZ09-0083, RZ09-0099, RZ09-01171, RZ09-01662, RZ09-01663, RZ09-02202
Updated on April 4: Razer confirmed to Laptop Mag that several laptop models, including the Blade Advanced (2018, 2019), Blade (2018) and Blade Stealth 13 (2019) are affected by a vulnerability in Intel chipsets. The company claims all new unit will ship from the factory with an update that removes the vulnerabilities.
Those who currently own a Razer product are strongly encouraged to download a software patch from Razer. The company sent us this link (opens in new tab) with instructions on how to protect your PC.
First reported by The Register, a security guru named Bailey Fox posted to Twitter in March alleging that Razer laptops face a problem very similar to CVE-2018-4251, a vulnerability discovered in Apple laptops last year in which the Cupertino giant failed to disable Intel Manufacturing Mode on its motherboards before shipping them out to stores and customers.
This slip-up theoretically allows hackers who already have administrative privileges to modify a system's firmware and infect it with malware, or to roll back system firmware to make vulnerable to other damaging exploits. In a post on Seclist.org, Fox specifically mentions the Meltdown attack as a potential exploit used on an affected PC.
"This allows for attackers to safeguard rootkits with Intel Boot Guard, downgrade the BIOS to exploit older vulnerabilities such as Meltdown, and many other things," Fox wrote. "They have yet to look into getting a CVE assigned, saying it isn't necessary."
Administrative rights would already let human attackers or malicious software take over your computer, steal your sensitive data and even spy on you. But the ability to modify the firmware, which admin rights don't always confer, would let malicious code hide in your motherboard's firmware and survive a system reset as well as avoid detection by antivirus scans.
The CVE-2018-4251 vulnerability (all vulnerabilities get these code names) specifically refers to an issue discovered in Apple products in June 2018 and patched by October of last year. Apple stated that a "malicious application with root privileges may be able to modify the EFI flash memory region" in a security update post (opens in new tab).
Fox reached out to the hardware manufacturer and said he disclosed the security issue only "after trying a month to get this dealt with via HackerOne," a bug-bounty brokerage that helps researchers get paid by companies for finding problems with their products.
Razer told Laptop Mag that certain Razer and Razer Blade models are affected by a vulnerability in Intel's chipsets and that all new models will ship from the factory with a software patch. Current Razer laptop owners are encouraged to use this link (opens in new tab) with instructions on how to download the patch.