News
News Categories

Lenovo PCs found to have critical BIOS vulnerability, other manufacturers may be affected too

By Bryan Chan & James Lu - on 5 Jul 2016, 2:48pm

Lenovo PCs found to have critical BIOS vulnerability, other manufacturers may be affected too

Laptops like Lenovo's X1 Carbon may be affected by a critical BIOS vulnerability.

Security researcher Dymtro Oleksiuk has uncovered a flaw in the BIOS of Lenovo PCs that could let attackers circumvent Windows' basic security protocols. However, while the vulnerability was found on Lenovo PCs, Oleksiuk posted on his Github that the vulnerable firmware driver was copy and pasted from data supplied directly by Intel, which means other manufacturers using the same BIOS software could also be vulnerable. At this time, at least one 2010-era HP Pavilion laptop is known to contain the vulnerable code.

Oleksiuk says that an attacker can “disable flash write protection and infect platform firmware, disable Secure Boot, [and] bypass Virtual Secure Mode (Credential Guard, etc.) on Windows 10 Enterprise.”

Lenovo has issued a public response, confirming the vulnerability and has said that it is working with its partners to develop a fix as soon as possible. A full list of the affected devices has not been issued at this time.

Worryingly, both Oleksiuk and Lenovo suggest that that the vulnerable code could actually be an intentional backdoor, with Lenovo stating that it does not know the "the original purpose of the vulnerable code."

Source: LenovoDymtro Oleksiuk via Engadget