Firmware Flaw Affects Lenovo ThinkPads, Other PC Makers’ Hardware

Lenovo has confirmed that reports of a critical vulnerability in the UEFI (unified extensible firmware interface) in its ThinkPad computers are accurate and that the company is currently investigating the problem.

Lenovo released a statement on June 30 confirming that there is a vulnerability in the ThinkPad’s System Management Mode (SMM) BIOS that was introduced by one of its independent BIOS vendors. However, Lenovo hasn’t specified what range of ThinkPad models are likely affected by the vulnerability.

The UEFI is a current version of what used to be called the BIOS (basic input output system) which forms an interface between the computer hardware and the operating system, such as Microsoft Windows. The current practice is that the IBVs (Independent BIOS Vendors) work from reference code provided by the CPU manufacturer and then provide machine-specific code that provides the rest of the machine-specific interface.

Lenovo firmware

Normally, machines using similar processors and chip sets will use the same reference code. This means that while the vulnerability could have been introduced by the IBV, it’s also possible that it was introduced by Intel when it created the reference code.

The vulnerability was found by an independent security researcher Dmytro Oleksiuk, who published details on GitHub, a software development collaboration site. Oleksiuk says in his posting that the vulnerability, which he has named ThinkPwn, allows the running of arbitrary System Management Mode code.

He said that this will allow an attacker to disable Flash write protection and then allow malware infection of the platform firmware. This in turn will allow an attacker to disable Secure Boot and Virtual Secure Mode on Windows 10.

By embedding malware in the system firmware, an attacker can avoid detection by anti-malware software. Furthermore the malware may be difficult or impossible to remove.

Not alone

Oleksiuk says in his GitHub entry that the vulnerability was apparently fixed by Intel in 2014, but because there was no public announcement, the vulnerability was never removed by computer makers that were using the earlier version in their UEFI code.

Further research by Oleksiuk and others appears to indicate that Lenovo isn’t the only computer maker affected by the same bug. Independent security researcher Alex James has reported in a series of Tweets that he found the same vulnerability on some Hewlett Packard laptop computers and in the firmware for some Gigabyte Technology motherboards.

The vulnerability was discovered so recently that the full extent of the problem is unknown. But because Intel and the independent BIOS vendors likely used similar reference code and UEFI software as much as possible, the problem is likely to be much more widespread than just the three makers that are currently known.

While Lenovo has acknowledged that the vulnerability exists, there’s more to attacking a computer than the existence of a vulnerability. At the very least, there needs to be a means of delivering it.

Continues on Page 2

Originally published on eWeek

Quiz: What do you know about Windows 10?

Page: 1 2

Wayne Rash

Wayne Rash is senior correspondent for eWEEK and a writer with 30 years of experience. His career includes IT work for the US Air Force.

Recent Posts

Apple, Google Mobile Ecosystems Should Be Investigated, CMA Told

CMA receives 'provisional recommendation' from independent inquiry that Apple,Google mobile ecosystem needs investigation

3 days ago

Australia Rejects Elon Musk Claim About Social Media Ban For Under-16s

Government minister flatly rejects Elon Musk's “unsurprising” allegation that Australian government seeks control of Internet…

3 days ago

Northvolt Files For Bankruptcy Protection In US

Northvolt files for Chapter 11 bankruptcy protection in the United States, and CEO and co-founder…

3 days ago

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

3 days ago

Former Policy Boss At X, Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

3 days ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

4 days ago