A backlight-tweaking Copilot script bricked a researcher's Surface by writing garbage to its embedded controller, exposing a firmware flaw that Microsoft patched over 90 days. Managed devices with Secure Boot enabled were never exposed, which makes this a configuration-policy problem as much as a hardware one.
Microsoft has spent the past 90 days quietly pushing firmware fixes to Surface devices through Windows Update, closing a flaw that allowed the hardware to be permanently bricked by a single sequence of commands sent to its embedded controller. The catch, and the reason this story is more about device policy than panic, is that the flaw only reaches devices where Secure Boot and Secure Core have been turned off.
The vulnerability surfaced through an unusual route. Australian security researcher Jack Darcy asked Microsoft Copilot to adjust the screen backlighting on his Surface. Copilot wrote and ran a series of Python scripts that sent raw commands directly to the SAM (also called SSAM), the embedded microcontroller Surface devices use to manage hardware functions. One of those scripts overwrote the controller's firmware, and the laptop never POSTed again.
What actually happened
Copilot's script iterated blindly across a range of Command IDs (CIDs), the instruction set the SAM exposes, sending empty or null payloads to whatever it found. Because read commands and write commands are interleaved in the same numbering space rather than grouped into separate ranges, there is no safe way to enumerate the interface. "You literally cannot scan even two consecutive CIDs without a coin-flip chance of hitting a write command," Darcy told The Register. "The moment you decide to enumerate what's available, you're already firing blind writes."
The damage is not visible immediately. A probed device keeps running because the SAM is already initialized in RAM. The failure shows up on the next reboot, when the controller tries to reload from corrupted non-volatile storage, fails to initialize, and the system cannot complete its Power-On Self-Test. At that point there is no USB recovery, no factory reset, and no access to the BIOS or UEFI. Darcy describes the result as a permanent brick that can require a new motherboard, a repair running into hundreds of dollars.
The underlying design gap is the absence of any gate on arbitrary writes. On many devices, enabling write access to firmware requires a physical action such as holding a button or connecting a jumper. Surface devices had no such check, so the embedded controller accepted destructive write values from the software path without confirmation.
Why most fleets were never exposed
This is where the compliance framing matters. Microsoft acknowledged the issue but did not assign it a CVE, stating it did not meet the bar. "Our investigation found that a deprecated UEFI interface could trigger a boot loop on some devices," a spokesperson said. "To trigger this loop, the user must have administrator privileges and have already disabled the Secure Boot security feature."
In practice, that means a device managed under a standard corporate baseline was never at risk. Secure Boot enabled by policy, standard users without local administrator rights, and Secure Core left on all block the path to the controller. The exposed population is narrower and self-selected: Linux users, Windows users who disabled Secure Boot or Secure Core for gaming or custom drivers, and anyone running with USB boot enabled and elevated privileges.
Darcy believes the affected hardware spans most of the line, naming Surface Laptops 3 through 6 and Surface Book 1 through 3, with Surface Go models apparently unaffected and ARM variants untested. Microsoft says most affected devices have already been updated, with the remainder receiving fixes in the coming weeks.
What to do
There is no regulatory deadline attached to this, but the practical checklist is straightforward for anyone responsible for a Surface fleet.
Confirm that Windows Update is current on every Surface device, since the fix ships through that channel rather than as a standalone advisory. Verify that Secure Boot and Secure Core remain enabled in your device baseline, and treat any deviation as a finding rather than a user preference. Keep local administrator rights restricted, because the documented attack chain depends on them. For devices that intentionally run with Secure Boot off, such as Linux machines or developer hardware, prioritize the firmware update before exposing them to untrusted scripts or automated agents.
The broader lesson for governance teams is about automated agents acting on hardware. Copilot here was not malicious; it was attempting a routine task and wandered into a destructive interface because nothing stopped it. As AI agents gain the ability to write and execute code against local devices, the assumption that software cannot physically destroy hardware no longer holds without explicit firmware-level guards.
Microsoft's longer-term answer
Microsoft is rebuilding the foundation rather than only patching the symptom. The company told The Register it is moving the Surface embedded controller firmware to Rust through a project called Secure EC, rewriting the UEFI DXE Core in Rust under the name Project Patina, and shipping drivers written in Rust.
"We're investing in the most secure foundation for a PC by building our embedded controller firmware from the ground up in Rust," said David Abzarian, chief architect for Microsoft Surface, noting the work is part of the Open Device Partnership and that the efforts are open source. Microsoft is also co-developing the Windows Drivers in Rust (WDR) framework so hardware partners can adopt the same memory-safe approach.
Memory safety alone would not have prevented this particular flaw, which is an authorization and interface-design problem rather than a memory-corruption bug. But a ground-up rewrite is the natural point to add the validation that was missing: bounds checks on incoming commands, separation of read and write ranges, and a refusal to accept destructive writes without a deliberate trigger.
Darcy's own assessment was pointed. "The fact that a device can be destroyed, irreparably from userspace is... certainly an interesting design decision," he said. "A little more innovation around verifying incoming data at the firmware level would have been greatly appreciated." Microsoft provided him with a replacement Surface laptop in acknowledgment of the disclosure, which was handled through coordinated vulnerability disclosure with the Microsoft Security Response Center.
Comments
Please log in or register to join the discussion