A security flaw that affects the BIOS of multiple Lenovo computers remains unpatched nearly a week after an independent security researcher discovered it.
The flaw, which could enable arbitrary code execution,
affects the ThinkPad system management mode (SMM), according to a post on
Github by a person who identified himself as Dmytro Oleksiuk.
By running arbitrary code in the SMM, a hacker could disable
flash write protection and bypass the secure boot-up feature of Windows 10's
Enterprise edition, among other actions, according to Oleksiuk. He wrote on
June 30 that he confirmed the vulnerability on several Lenovo laptops, from the
ThinkPad T450s to the older ThinkPad X220. The possibility for remote code
execution could be present in the firmware of other manufacturers in addition
to Lenovo, he added.
In a security advisory posted to its website, Lenovo said it
confirmed the BIOS vulnerability that Oleksiuk posted, and is still working to
find a solution.
"At this point, Lenovo knows that vulnerable SMM code
was provided to Lenovo by at least one of our Independent BIOS Vendors
(IBVs)," the advisory said. IBVs supply firmware for PC makers. Lenovo
said it works with three IBVs, though it did not specify which of its computer
models use the affected BIOS.
In addition to BIOS suppliers, the company says code from
Intel may also contribute to the vulnerability.
"The package of code with the SMM vulnerability was
developed on top of a common code base provided to the IBV by Intel,"
Lenovo wrote. "Importantly, because Lenovo did not develop the vulnerable
SMM code and is still in the process of determining the identity of the
original author, it does not know its originally intended purpose.
"But, as part of the ongoing investigation, Lenovo is
engaging all of its IBVs as well as Intel to identify or rule out any
additional instances of the vulnerability's presence in the BIOS provided to
Lenovo by other IBVs, as well as the original purpose of the vulnerable
code."
The vulnerability comes more than a year after the Superfish
flaw, which affected adware installed on Lenovo PCs. About a week after it was
discovered, Lenovo offered a tool that would remove the software.
Source:
pcmag.com
0 comments:
Post a Comment