Crucial MX300 SSD Firmware Release M0CR070

The MX300 firmware update, version M0CR070, is intended to address a potential security issue. This vulnerability can only be exploited by an individual with physical access to the drive, deep technical SSD knowledge and advanced engineering equipment.

• One alternative which can fully secure user data is to replace hardware encryption with software encryption. This can be done by following the directions in Microsoft BitLocker Drive EncryptionTM security advisory (#ADV180028) at https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV180028. Some third-party security software vendors also have methods to convert hardware encryption to software encryption; please consult their instruction manuals, as needed. Software encryption is a recommended method for users of Crucial MX100 and MX200 solid state drives.
• MacOS users of these Crucial SSDs who implement FileVault are subject to software encryption, likely to be unaffected by this vulnerability. It is recommended to check with the system manufacturer to validate security features.
• MX300 users who have not initialized security features using BitLocker hardware encryption in Windows Professional or Windows Enterprise editions, and who are not using hardware encryption tools from a third-party software vendor, may want to update to M0CR070, in case they choose to implement these security features later.

In deployments where it is desirable to maintain hardware encryption on the MX300, updating to version M0CR070 will offer some protection. However, to fully protect your data from this vulnerability while maintaining hardware encryption, additional steps are required. These steps are described below.

Most users will need to follow instructions in either section 1 or 2, below not both.

Section 1 - For users of Windows 8/10 Professional and Windows 8/10 Enterprise, using hardware encryption with BitLocker:

1. Before beginning this process, retrieve the SSD’s PSID, or Physical Security Identification. The PSID is a 32-character alpha-numeric code which is printed on the serial number label of the SSD. The hyphens in the printed code are for human readability, and are not needed for this update process.
2. Ensure that all Windows installation media and keys are available and valid.
3. Back up all important data to another storage device, or create a back-up image.
4. Update the MX300 firmware to version M0CR070 using Storage Executive, following the firmware update instructions in the Storage Executive user guide.
5. Also using Storage Executive, follow the user guide instructions to run the “PSID Revert” operation. The Storage Executive software will ask for the PSID code to complete the operation. This operation will wipe all user- and OS data, and will re-initialize the security features of the MX300.
6. Re-install Windows, and then copy important user data from the back-up location, or restore the image from back-up media.
7. Re-initialize Bit-Locker.

Section 2 - For users who are using hardware encryption initialized by third-party security software vendors on Windows 8/10, including Home and Student editions, on previous versions of Windows, or on Mac OS:

1. Please note, this vulnerability does not affect anti-virus or malware software from these same vendors.
2. Ensure that the installation media for this third-party software is available and all installation keys are current and valid.
3. Un-initialize the security features of your software, using the instructions provided by the software vendor.
4. Completely uninstall the third-party encryption software.
5. Update the MX300 firmware to version M0CR070 using Storage Executive, following the firmware update instructions in the Storage Executive user guide.
6. The “PSID Revert” step is not needed in this case.
7. Re-install the third-party security software per instructions from the software vendor.
8. Re-initialize security features per instructions from the software vendor.