For the ThinkPwn bug, the primary means of delivery needs to be a USB memory stick. Then, the computer needs to be booted from that drive before any malware can be initiated.
Analyst Jack Gold said that the first thing that business users should do is find out whether their anti-malware products will detect software that’s trying to perform an exploit using the vulnerability. However, Gold said that because any exploit would be running in the firmware, he suspects that current anti-malware apps would not find it.
Gold also said that because any exploit would probably need to be installed on a machine via physical access to its USB port, it’s not an easy thing to do. His advice to IT managers, “Be mindful of this, stay up to date, but I wouldn’t consider this a huge risk.”
The reason the risk is limited is because the UEFI is written specifically for each type of machine, and for an exploit to work, it would have to target this specific type as well. For this reason, a Lenovo exploit wouldn’t work on a HP laptop, even if they had the same vulnerability.
What should the computer makers do about this vulnerability? The obvious answer is that they can ask their BIOS vendors to create a new UEFI package using Intel reference code from after the vulnerability was fixed and then distribute a BIOS update.
But of course, just because it’s easy to say that a BIOS update would solve the problem, issuing such an update can be very complex to current hardware owners. Worse, trusting individual owners to update the BIOS in their computers is a dangerous proposition. Done wrong, the result could be to prevent the computer from ever working again.
Of more concern is Oleksiuk’s suggestion that the ThinkPwn exploit applied in malware. While such a malware attack would of necessity be very difficult because it would require the malware to detect the type of machine it was infecting, such sophisticated malware has already been created to attack other types of vulnerabilities. This means that creating such malware to attack machines with different UEFI code is possible.
While there’s no reason to panic about the possibility of malware aimed at your computers’ BIOS, you also can’t afford to drop your guard. Instead, it’s important to keep in touch with Lenovo or whoever builds your computers and find out if there is a vulnerability. If there is you need to fix it as soon as possible.
Originally published on eWeek
Quiz: What do you know about Windows 10?
Page: 1 2
Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…
Explore the future of work with the Silicon In Focus Podcast. Discover how AI is…
Executive hits out at the DoJ's “staggering proposal” to force Google to sell off its…
US prosecutors confirm earlier reports, demand Google sells off Chrome web browser and end default…
Following Australia? Technology secretary Peter Kyle says possible ban on social media for under-16s in…
Restructuring expert appointed to oversea Northvolt's main facility in northern Sweden, amid financial worries