Zero Day BIOS Bug Found On Lenovo PCs – Other PC Makers Also Affected

Adding to Lenovo’s security woes, another BIOS vulnerability has been found on the vendor’s PCs. According to an official statement from Lenovo, the flaw originates from one of its independent BIOS vendors and Intel so it’s likely other PC manufacturers are affected as well. Here’s what you need to know.

Image: Supplied

Lenovo gained unfavourable attention when it was discovered that an adware dubbed Superfish was pre-loaded onto its PCs. Then there was the incident when it was discovered that the vendor had been installing bloatware into the BIOS of its machines, which made the software difficult to remove. Both of those things were found to be security risks.

Now a new BIOS security flaw has been found by independent security researcher Dymtro Oleksiuk. According to his entry on GitHub, the bug affects all ThinkPad series laptops. It is a privileges escalation vulnerability in the SystemSmmRuntimeRt UEFI driver, specifically in the System Management Mode (SMM) code, of Lenovo’s firmware:

“Running of arbitrary System Management Mode code allows attacker to disable flash write protection and infect platform firmware, disable Secure Boot, bypass Virtual Secure Mode (Credential Guard, etc.) on Windows 10 Enterprise and do others evil things.”

Lenovo has issued an official statement on this and noted that the vulnerability in the SSM code was provided to the company by at least one independent BIOS vendors. These vendors are software development firms that help other PC makers customise BIOS firmware to be loaded on branded computers.

According to Oleksiuk, the vulnerable code was provided by chip maker Intel to independent BIOS vendors, specifically for 8-series chipsets. This means that other PC makers are likely to be affected by this. At least one person has confirmed that the flaw has been found on a HP laptop.

So far, Lenovo has not issued a fix for the security flaw but has said it’s working with BIOS vendors and Intel to investigate the matter. If you own a Lenovo ThinkPad PC, you should keep an eye out for updates on the Lenovo Security Advisory.

[Via Lenovo/GitHub]

The Cheapest NBN 50 Plans

Here are the cheapest plans available for Australia’s most popular NBN speed tier.

At Lifehacker, we independently select and write about stuff we love and think you'll like too. We have affiliate and advertising partnerships, which means we may collect a share of sales or other compensation from the links on this page. BTW – prices are accurate and items in stock at the time of posting.


One response to “Zero Day BIOS Bug Found On Lenovo PCs – Other PC Makers Also Affected”