Lenovo users are exposed to security risks once more. The company has confirmed the existence of critical vulnerability in the unified extensible firmware interface (UEFI) of its ThinkPad PCs. Lenovo is now investigating the problem and hopes to come up with a solution to the problem that may affect other manufacturers as well.
The unified extensible firmware interface, or UEFI, is what we used to know as BIOS, or basic input-output system. It forms an interface between the PC’s hardware and its operating system. The exploit, called ThinkPwn, targets an escalation flaw in the UEFI driver. This allows the attacker to remove the write protection and eliminate rogue code in the System Management Mode (SMM), which is a privilege mode in the central processing unit (CPU).
The flaw was discovered by an independent researcher, Dmytro Oleksiuk, which detailed the technicalities on GitHub, commenting on how Lenovo users are exposed to security risks. According to him, attackers can disable Secure Boot, and also crack Windows 10’s Credential Guard feature, leaving enterprise domain credentials exposed to hackers.
Lenovo has issued a statement on this matter June 30. The company marks the severity of the SSM BIOS Vulnerability as being high, calling the BIOS vulnerability an “industry-wide” concern. Lenovo’s Product Security Incident Response Team is now conducting its own investigation on the vulnerable package of code that the company is quick to point out that have been provided by Independent BIOS Vendors. All of the three most important Independent BIOS Vendors in the industry that Lenovo works with are engaged in the investigation, along with giant Intel that provided the code base. At the moment, the original author of the code and its intended purpose remain unknown.
The company assures users that “Lenovo is committed to the security of its products and is working with its IBVs and Intel to develop a fix that eliminates this vulnerability as rapidly as possible.” and that “Additional information regarding the fix will be posted as soon as it is available on the Product Security Advisory web site”.
The same vulnerability is not limited only to Lenovo computers, as independent researcher Alex James has reported that some Hewlett-Packard laptops and Gigabyte Technology motherboards also share the issue. However, Lenovo has had many security problems in the past, including accusations that it deliberately delivered spyware infested PCs. Now, Lenovo users are exposed to security risks once more.