Firmware Flaw Affects Lenovo Thinkpads, Other PC Makers' Hardware
For the ThinkPwn bug, the primary means of delivery needs to be a USB memory stick. Then, the computer needs to be booted from that drive before any malware can be initiated. Analyst Jack Gold said the first thing business users should do is find out whether their anti-malware products will detect software that's trying to perform an exploit using the vulnerability. However, Gold said that because any exploit would be running in the firmware, he suspects that current antimalware apps would not find it. Gold also said that because any exploit would probably need to be installed on a machine via physical access to its USB port, it's not an easy thing to do. His advice to IT managers: “Be mindful of this, stay up to date, but I wouldn't consider this a huge risk.” But that doesn't mean that there's no risk at all. Oleksiuk has said in some of his public statements that he believes it would be possible to create a malware attack that would take advantage of the ThinkPwn vulnerability. But even if the exploit could be spread through malware, that doesn't necessarily raise the risk much.What should the computer makers do about this vulnerability? The obvious answer is they can ask their BIOS vendors to create a new UEFI package using Intel reference code written after the vulnerability was fixed and then distribute a BIOS update. But of course it's easy to say that a BIOS update would solve the problem, but issuing such an update can be very complex to current hardware owners. Worse, trusting individual owners to update the BIOS in their computers is a dangerous proposition. Done wrong, the result could effectively kill the computer, preventing it from ever working again. Of more concern is Oleksiuk's suggestion that the ThinkPwn exploit was applied in malware. While such a malware attack would be very difficult because it would require the malware to detect the type of machine it was infecting, such sophisticated malware already has been created to attack other types of vulnerabilities. This means creating such malware to attack machines with different UEFI code is possible. While there's no reason to panic about the possibility of malware aimed at your computers' BIOS, you also can't afford to drop your guard. Instead, keep in touch with Lenovo or whichever vendor builds your computers and find out if there is a vulnerability. If there is, you need to fix it as soon as possible.
The reason the risk is limited is because the UEFI is written specifically for each type of machine, and for an exploit to work, it would have to target this specific type as well. For this reason, a Lenovo exploit wouldn't work on a HP laptop, even if it had the same vulnerability.