Lenovo has confirmed that reports of a critical vulnerability in the UEFI (unified extensible firmware interface) in its ThinkPad computers are accurate and that the company is now investigating the problem. The exploit can be used to sidestep security features built into Windows and allow an attacker to execute malicious code in the CPU’s privileged System Management Mode (SMM). IBV stands for Independent BIOS Vendor and is a package of ready-made code that’s integrated inside BIOS and UEFI (an evolution on BIOS firmware code) to ensure inter-compatibility with other device components. Normally, machines using similar processors and chip sets will use the same reference code.
Advertisement
A security researcher has revealed that the Lenovo ThinkPad series is affected by a critical security vulnerability.
The flaw, which could enable arbitrary code execution, affects the ThinkPad system management mode (SMM), according to a post on Github by a person who identified himself as Dmytro Oleksiuk. He said that this will allow an attacker to disable Flash write protection and then allow malware infection of the platform firmware.
The exploit can disable the write protection of firmware, meaning that Windows security features, such as Secure Boot, can be disabled. The firmware was supplied by Insyde Software, a Taiwanese IBV. Furthermore the malware may be hard or impossible to remove. Lenovo did not seem happy about Oleksiuk posting the information before the company itself could, claiming “several unsuccessful attempts to collaborate with the researcher in advance of his publication”.
What’s worse is that this was quickly confirmed to not be limited to Lenovo ThinkPads as originally thought.
Advertisement
The same vulnerability is not limited only to Lenovo computers, as independent researcher Alex James has reported that some Hewlett-Packard laptops and Gigabyte Technology motherboards also share the issue. The extent of the security concern is not yet known. But because Intel and the independent BIOS vendors likely used similar reference code and UEFI software as much as possible, the problem is likely to be much more widespread than just the three makers that are now known. When your BIOS – the basic input/output system controlling your computer’s startup process – has a security vulnerability, fixing it is much more challenging. At the very least, there needs to be a means of delivering it.
