Connect with us

Hi, what are you looking for?



Microsoft: Firmware Attacks Outpacing Security Investments

Microsoft is confirming a surge in malicious attacks targeting firmware and the software giant wants to play a role in reducing the attack surface below the operating system.

Microsoft is confirming a surge in malicious attacks targeting firmware and the software giant wants to play a role in reducing the attack surface below the operating system.

According to a new Security Signals report released Tuesday by Microsoft, a whopping 80 percent of businesses reported “at least one firmware attack” in the past two years but only 30 percent allocated any budget spend on firmware protection.

Businesses aren’t paying close enough attention to securing this critical layer, says David Weston, Microsoft partner director of OS security.  

Microsoft commissioned a study of 1,000 enterprise security decision makers from around the world and the results confirmed that the bulk of current security spending goes to applying patches, vulnerability scanning, and advanced threat protection products that traditionally miss signs of infections below the operating system.

[ SEE: TrickBot Malware Can Scan Systems for Firmware Vulnerabilities ]

Weston said firmware provides a “fertile ground” to plant malicious code and he said the survey results show growing awareness among defenders to address this class of attacks.

“Firmware is emerging as a primary target because it is where sensitive information like credentials and encryption keys are stored in memory. Many devices in the market today don’t offer visibility into that layer to ensure that attackers haven’t compromised a device prior to the boot process or at runtime below the kernel,” the company said.

Advertisement. Scroll to continue reading.

The new Security Signals study identified the OS Kernel as “an emerging gap” in defense but it also found that investments in this area remain low.   The study found that only 36% of businesses invest in hardware-based memory encryption and less than half (46%) are investing in hardware-based kernel protections. 

“Security teams are too focused on outdated “protect and detect” models  of security and are not spending enough time on strategic work — only 39% of security teams’ time is  spent on prevention and they don’t see that changing in the next two years. The lack of proactive  defense investment in kernel attack vectors is an example of this outdated model,” according to the Microsoft study.

In addition to firmware attacks, Microsoft said the survey respondents also identified a lack of automation as one reason for the disconnect between threat activity and defender investments.

“The vast majority (82%) reported that they don’t have the  resources to allocate to more high-impact security work because they are spending too much time on lower-yield manual work like software and patching, hardware upgrades, and mitigating internal and  external vulnerabilities,” the company said.

According to the survey, about 20 percent of defenders admitted that their firmware data goes unmonitored today, mostly because of the lack of automation. “Seventy-one percent said their staff spends too much time on work that  should be automated, and that number creeps up to 82% among the teams who said they don’t have  enough time for strategic work. Overall, security teams are spending 41% of their time on firmware patches that could be automated,” the study found.

Microsoft is pushing its own secured-core PC concept, encouraging businesses to to invest in chip-level security and new automation and analytics capabilities.   

Related: Devices Still Vulnerable to DMA Attacks Despite Protections

Related: Driver Vulnerabilities Facilitate Attacks on ATMs, PoS Systems

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.