Lenovo is patching up a critical vulnerability in its PCs, other makers may be affected

Lenovo ThinkPad 13
Bill Roberson/Digital Trends
A security researcher has identified a serious flaw in Lenovo PCs that may also implicate other PC makers and chipmaker Intel.

Posting on GitHub, Dymtro “Cr4sh” Oleksiuk said he discovered a Unified Extensible Firmware Interface (UEFI) bug in Lenovo’s ThinkPad System Management Mode (SMM) that would allow an attacker to bypass Windows’ security protocols.

“Exploitation of the vulnerability may lead to the flash write protection bypass, disabling of UEFI Secure Boot, Virtual Secure Mode and Credential Guard bypass in Windows 10 Enterprise and other evil things,” claimed Oleksiuk.

This all stems from a common code from Intel allegedly provided by independent BIOS vendors (IBVs), which is where Lenovo appears to be placing the blame, but it added in its security advisory that the investigation is ongoing.

The company stated that it knows this vulnerable code was provided by “at least one” IBV. Lenovo works with three IBVs but it did not specify beyond that or give names.

“Following industry standard practice, IBVs start with the common code base created by chip vendors, such as Intel or AMD, and add additional layers of code that are specifically designed to work with a particular computer. Lenovo currently works with the industry’s three largest IBVs,” read the advisory.

What’s important to note here is that IBVs work with a number of computer makers. While Oleksiuk said that he found this flaw in more than one Lenovo laptop he tested, it’s very much possible the flaw exists in other PC brands too.

“Lenovo is blaming it’s [sic] IBV, so, it’s 100% that there’s others OEM’s that have this vuln in their products,” Oleksiuk tweeted. Shortly afterwards another Twitter user responded with a claim that he had found the same vulnerability in a HP computer that shipped in 2010.

In its statement, Lenovo took issue with Oleksiuk publishing his findings before having any contact with its own team. The statement said Lenovo made “several unsuccessful attempts” to reach out to and collaborate with the researcher before he went public.

For now, a fix is in the works. “Lenovo is engaging all of its IBVs as well as Intel to identify or rule out any additional instances of the vulnerability’s presence in the BIOS provided to Lenovo by other IBVs, as well as the original purpose of the vulnerable code,” it said.

As of this writing no other PC makers have commented on the reported vulnerability.

Computing

Save $900 on the ThinkPad X1 Carbon and more with Lenovo’s Cyber Monday sales

In the latest set of holiday sales, Lenovo is heavily discounting its fifth-generation ThinkPad X1 Carbon and other popular Windows laptops and 2-in-1s for the holiday shopping season.
Computing

Latest SMS breach could allow hackers access to your online accounts

A new security breach that exposed more than 26 million text messages could be a huge nightmare for users relying on two-factor authentication. Many of the SMS on the database contained security codes and account reset links.
Smart Home

Here's our comparison of the Lenovo Smart Display and the JBL Link View

Looking for the right smart display? We're comparing the Lenovo Smart Display vs. JBL Link View, two excellent smart displays that are made for different audiences. Here's what you need to know about both displays and what they do.
Computing

Microsoft takes up to $330 off of Surface PC bundles in Black Friday promo

'Tis the season for savings at Microsoft. The Surface-maker is offering some nice Black Friday deals on its Surface Pro 6, Go, and Laptop 2 hardware. You'll also find deals on notebooks from HP, Dell, and Lenovo.
Computing

Go hands-free in Windows 10 with speech-to-text support

Looking for the dictation, speech-to-text, and voice control options in Windows 10? Here's how to set up speech-to-text in Windows 10 and use it to go hands-free in a variety of different tasks and applications within Windows.
Computing

These cheap laptops will make you wonder why anyone spends more

Looking for a budget notebook for school, work, or play? The best budget laptops, including our top pick -- the Asus ZenBook UX330UA -- will get the job done without digging too deep into your pockets.
Computing

Don't use streaming apps? These are the best free players for your local music

Rather than using music streaming apps, you may want something for playing your local music. Good news! There are some good alternatives. These are the best media players you can download for free on Windows.
Computing

Style up your MacBook Air with one of these great cases or sleeves

Whether you’re looking for added protection or a stylish flourish, you’re in the right place for the best MacBook Air cases. We have form-hugging cases, luxurious covers and padded sleeves priced from $7 to $130. Happy shopping!
Computing

How to easily record your laptop screen with apps you already have

Learning how to record your computer screen shouldn't be a challenge. Lucky for you, our comprehensive guide lays out how to do so using a host of methods, including both free and premium utilities, in both MacOS and Windows 10.
Gaming

Want to gift a Steam game so you can play with a friend? Here's how to do it

The holidays may have passed, but it's always a good time to give the gift of gaming (especially when there's a Steam sale)! Here's our quick guide on how to give a Steam game as a gift.
Computing

Multi-monitor issues? Here's how to resolve them

If you're running into multi-monitor problems, you're not alone. Two screens are very useful, but they can present some difficulties. Here are some common multi-monitor problems and how to fix them.
Computing

Capture screenshots with print screen and a few alternative methods

Capturing a screenshot of your desktop is easier than you might think, but it's the kind of thing you'll probably need to know. Here's how to perform the important function in just a few, easy steps.
Deals

Black Friday 2018: The best deals so far

Black Friday is the biggest shopping holiday of the year, and it will be here before you know it. If you can't wait until November 23 to start formulating a shopping plan, we've got you covered.
Smart Home

All the best Amazon Black Friday deals for 2018

Amazon may be an online-only retailer, but that doesn’t mean its Black Friday sales are anything to sniff at. In fact, due to its online status, Amazon has huge flexibility with the range of products and deals it can offer. Here's our…