A firmware vulnerability affecting Microsoft Surface devices has been mostly resolved after being identified by the company’s Copilot AI. This flaw allowed unprotected devices to be rendered inoperable by sending a single packet, particularly impacting those with Secure Core and Secure Boot disabled.
Discovery of the Vulnerability
The issue was brought to light by Jack Darcy, a security researcher in Australia, who discovered the flaw while using Microsoft Copilot to adjust screen backlighting on his Surface device. The AI-generated Python script inadvertently sent commands that overwrote the embedded controller firmware, leading to the device becoming inoperable.
Technical Details of the Flaw
The embedded controller, known as SAM, is used in Surface devices. According to Darcy, Microsoft’s implementation lacked defenses against arbitrary write values, which allowed Copilot to overwrite critical firmware. This action triggered an update command that corrupted the UEFI and Secure Boot firmware. As a result, while devices may continue to operate initially, they fail to initialize upon reboot, leading to a failure in the Power-On Self-Test (POST).
Microsoft’s Response
Microsoft has stated that it does not consider this vulnerability a practical threat, as exploiting it would require administrator privileges and specific driver interactions. A spokesperson noted that the issue did not meet the criteria for a CVE, and updates have been released to address the problem for most affected devices. Managed devices are not at risk, but users of Linux or those who have disabled Secure Core and Secure Boot may still be vulnerable if they have not received the update.
Future Security Enhancements
In light of this incident, Microsoft is planning to transition the Surface hardware stack to Rust, aiming to enhance security and reliability. This shift includes rewriting embedded controller firmware and UEFI components in Rust, which is intended to provide a more secure foundation for future devices.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.
