According to a report by PCGamesN, the site had come across an independent security audit that detailed seven vulnerabilities found in no less than five different software packages from ASUS and Gigabyte. In ASUS’ case, this included its Aura Sync RGB controller software. For context, it is a standard operating procedure (SOP) for a security firm to inform a company about a vulnerability in their products (i.e. software), giving them a chance to fix the issue before the firm discloses the information to the world. This period would usually last between 60 and 90 days.
The cybersecurity company that detected the vulnerabilities, SecureAuth, points out that it had informed ASUS about the vulnerabilities as early as April 2018. Specifying that it was the GLCKIo and Asusgio drivers that left its Aura Sync package open to attacks. In Gigabyte’s case, SecureAuth laid out five different software packages that were vulnerable to attacks, but the brand denied that these vulnerabilities even affected their software. These software packages include the Gigabyte App Centre, Aorus Graphics Engine, Extreme Gaming Engine, and OC Guru II. All of which were affected by flaws found in the GPCIDrv and GDrv drivers.
ASUS and Gigabyte aren’t the only brand found with vulnerabilities in their RGB controller software. ASRock, another PC component maker, had also been warned by SecureAuth about flaws found in their software too. Unlike its competitors, ASRock had managed to patch up the vulnerabilities long before the flaw went public. (Source: PCGamesN, SecureAuth)
