Security Vulnerabilities processor with unpatched AMD AGESA PI in Acer Swift 3 SF314-43-R2LX

2

Answers

  • jonna241
    jonna241 Member Posts: 4 New User

    ACER, please fix this!!

  • billsey
    billsey ACE Posts: 34,101 Trailblazer

    As stated elsewhere, you will not reach any Acer employees with a post on the community forums. You have to contact Acer directly to try and get that type of update.

    Click on "Like" if you find my answer useful or click on "Yes" if it answers your question.
  • JackE
    JackE ACE Posts: 44,868 Trailblazer

    Go to this link.

    Jack E/NJ

  • jose23
    jose23 Member Posts: 6

    Tinkerer

    ALL OTHERS MANUFACTURERS already released new BIOS version and fixed bug that affects this AMD processor, ACER did not bother and despite bringing this up with their support team does not acknowledge this serious problem with its products! well next time I will chose carefully and pick a laptop from the manufacturer that does not abandon it's consumers less than a year…

  • jose23
    jose23 Member Posts: 6

    Tinkerer

    ACER support team is completely irresponsible , their team was notified of this issue many months ago and they did not bother to fix this, all customer should have this in mind when looking for a new laptop!

  • JackE
    JackE ACE Posts: 44,868 Trailblazer

    Notify them again. And again and again if needed until something happens. In the more than two years since this thread started for this particular ACER model, not too many folks seemed to have cared about it enough to notify them and request an update or assurances the most recent BIOS firmware is somehow not too affected.

    Jack E/NJ

  • oliv2
    oliv2 Member Posts: 7

    Tinkerer

    It is not clients job to chase the company to fix it's products!

    Anyway, I have contacted ACER support and here is the response that I have received:

    "Dear Olivier,

    Thank you for contacting Acer Group regarding your query. After checked internal BIOS team, Due to this project has EOL (End-of-Life) and RD evaluate PI code update from v1.0.0.C to v1.0.1.0 is a big change (Equivalent to doing 1/4 of new project). This PI code update requirement can't be supported, thanks for your understanding. Concerning the Keyboard: 1. The KB backlight design spec of this project isa. Restart from S3 will keep previous user's setting.b. Restart from S4/S5 will load KB BKL default(KBL on) I hope that the outlined course of action will be satisfactory.

    Regards,

    Thato
    Acer Support."

    This is a joke! This laptop model is pretty new and is still being offered by many sellers but ACER claims is that the laptop too old to fix a CRITICAL SECURITY issue affecting the processor - the laptop that they still have on offer!!! I bought this laptop 2 months ago, brand new, in a shop!!! Basically STAY AWAY FROM ACER PRODUCTS!! This is the only advice I can give to everyone who was considering to buy anything from ACER! Stay AWAY!

  • eGomes
    eGomes Member Posts: 4,173 Guru
    edited July 3

    At least the Support person was sincere so we didn't create false hopes! This attitude on Acer's part is regrettable and frustrating! But you can be sure that from now on we will remember this for the rest of our days.

    As Peter Parker would say:

    "Acer no more..."

  • JackE
    JackE ACE Posts: 44,868 Trailblazer

    > > This laptop model is pretty new> >I bought this laptop 2 months ago, brand new, in a shop!!!> >

    Sorry, not really "pretty new". While you might've bought it pretty new 2 mos ago, this model series & technology is still nearly 5 years old. Probably sitting on a warehouse shelf for several years. Then eventually wholesaled to retail shops to sell well below MSRPs.

    Jack E/NJ

  • oliv2
    oliv2 Member Posts: 7

    Tinkerer

    Please stop spreading false information! This isn't any old model! While Acer Swift 3 series might have been on the market for quite some time, the model SF314-43 with AMD Ryzen processor have been introduced to the market in 2022 and is still being sold by ACER. Here is for example link to the ACER shop in Germany where you can buy it: https://store.acer.com/de-de/acer-swift-3-ultraschlankes-notebook-sf314-43-silber-nx-ab1ev-00s-nx-ab1eg-00l

    It is completely unacceptable that ACER sells faulty hardware with no intention to fixing it. I have spoken to a friend who is a lawyer and he confirmed that due to the fact that Acer sells vulnerable hardware and refuses to provide fix (new BIOS, which they admitted in the email that I have received from their tech support) all customers who bought this laptop have the right to return it and receive a the money back as the ACER basically fails to fulfill it's warranty obligations.

    I encourage you to return this laptop (you have 24 months from the date of purchase as this is the Acer's warranty) and buy a laptop from reputable manufacturer who does care about their clients and does not refuse to fix critical issues because "it's too much work to release new BIOS".

  • JackE
    JackE ACE Posts: 44,868 Trailblazer

    > > While Acer Swift 3 series might have been on the market for quite some time, the model SF314-43 with AMD Ryzen processor have been introduced to the market in 2022 > >

    Relied on actual release dates for SF314-43-xxxx model series, its mainboard/Ryzen 5500u/5700u CPUs & initial firmware version. All were late 2020/early 2021 depending on region. Factoring in additional production & retail distribution times still suggests nearly 5-year old technology before Win11. The last two firmware updates seem to be on Sept cycles aimed at better accomodating Win11. Maybe another update will be published this Sept?

    Jack E/NJ

  • oliv2
    oliv2 Member Posts: 7

    Tinkerer

    I again kindly ask you to stop spreading false information! The CPU AMD Ryzen 5500u has been released in 2021 so how could the Acer Swift with this CPU be released in 2020? This laptop model is from 2022.

    Also please stop misinforming people that maybe another BIOS will be released in September! Have you read the email from ACER tech support that I received and published 2 posts above your post where they clearly inform that they are not going to release new BIOS that would fix this vulnerabilty?

    I understand that you have been hired by ACER for PR but please stop spreading misinformation! The ACER abandoned users exposing them to serious vulnerability, keeps selling this model despite knowing that the flaw in CPU will allow hackers to steal passwords, credit card details and other fragile information! If anyone's laptop will be hacked with the use of this vulnerability, ACER will be responsable for it because despite users bringing this to the company's attention they ignored the fact and kept selling vulnerable hardware explaining that they won't fix it because it's too much work for them to release new BIOS with proper fix!! Instead they prefer to hire marketing people that will spread misinformation that all is good… so pathetic!!! One thing is certain… I will never buy any ACER product again!!

  • billsey
    billsey ACE Posts: 34,101 Trailblazer

    Release date: 6th October 2021

    So not quite three years old yet.

    Click on "Like" if you find my answer useful or click on "Yes" if it answers your question.
  • JackE
    JackE ACE Posts: 44,868 Trailblazer

    Retail release dates can be regional and not necessarily the same as the date manufacturers have access to design/test their hardware. The BIOS version 1.00 shown earlier is dated Nov 2020 taken from the original SP314-43 specs. Three BIOS firmware updates were already available before Oct 2021 so it's older than one might think despite wherever or whatever region the dates come from?

    Jack E/NJ

  • eGomes
    eGomes Member Posts: 4,173 Guru

    Regardless of the year of manufacture of these laptops, nothing justifies Acer's omission and total irresponsibility! We are forgetting that AMD had already made several updates to the AGESA and SMU microcodes available in recent years. Even though the AMD Ryzen 4000 and 5000 series processors (EOL products) were launched 4 or 5 years ago, AMD was not irresponsible enough to abandon its consumers.

  • Marty11
    Marty11 Member Posts: 119 Skilled Fixer WiFi Icon

    Dear @oliv2,

    I have a similar experience with Acer support, but never got as clear an answer as you did.
    Back in May - Juli 2022 I wrote multiple times to Acer support stating the open security vulnerabilities. I explained to them elaborately that:

    In short summary this means that it allows attackers to run arbitrary
    code and to bypass security mechanisms provided in the UEFI firmware.
    These attacks happen so early on in Platform Initialization (PI), that
    they are undetectable and unstoppable by virus scanners.

    I got the following riddling answers:

    Please always check for the latest updates to your AMD hardware using the AMD site itself as they have the latest Drivers ready.

    and this one:

    Thanks for your message. This is still being investigated by the Acer Research Team as they have not concluded this. Meanwhile, if you want a refund you should contact the (web)store where you bought the unit as we cannot provide this. We expect to receive feedback any moment so we will inform you once we do.

    I responded with:

    It's been a month. I haven't heard back from you.

    The situation hasn't changed. No security fixes have been provided by
    Acer. Being as it is, the new laptop is unsecurable. I can't use the
    laptop in this state.

    I'd like to return the laptop and get a full refund.

    As I didn't hear back from Acer, I contacted the store to return it, but they wouldn't take my return. This is where things still stand up until today TWO YEARS LATER.

    The Acer laptop hasn't been fit for serious use (because of these open security vulnerabilities) for one day in its life and now it is deemed EOL…

  • JackE
    JackE ACE Posts: 44,868 Trailblazer

    > >In short summary this means that it allows attackers to run arbitrary code and to bypass security mechanisms provided in the UEFI firmware. These attacks happen so early on in Platform Initialization (PI), that they are undetectable and unstoppable by virus scanners.> >

    > >This is still being investigated by the Acer Research Team as they have not concluded this.> >

    This Acer response suggests that its Research Team has been unable to demonstrate the alleged vulnerability with current firmware. And thus concludes that, while not zero, the probability for attack is still insufficient to warrant a patch that might introduce other problems. Accordingly, it would be interesting to hear if anyone has actually suffered an attack and report on its consequences.

    Jack E/NJ

  • Marty11
    Marty11 Member Posts: 119 Skilled Fixer WiFi Icon

    Dear @JackE

    Have you been hired by ACER for Public Relations?

  • JackE
    JackE ACE Posts: 44,868 Trailblazer

    Like most patches, firmware patches especially have non-zero probability for introducing unintended bugs that may be worse than further reducing the already-small vulnerability probabilities. Diminishing returns principle.

    Jack E/NJ

  • billsey
    billsey ACE Posts: 34,101 Trailblazer

    None of us are Acer employees.

    Maybe you should think seriously about buying an Intel based machine next time, since AMD doesn't seem to be pushing these types of updates via Windows update, unlike Intel. I just got new BIOS versions on two of my Intel machines in the last week or two…

    Click on "Like" if you find my answer useful or click on "Yes" if it answers your question.