Firmware Flaw Affects Lenovo ThinkPads, Other PC Makers' Hardware
NEWS ANALYSIS: A new zero-day vulnerability may also affect computers from other makers that used similar Intel UEFI reference code to create their BIOS firmware.Lenovo has confirmed that reports of a critical vulnerability in the UEFI (unified extensible firmware interface) in its ThinkPad computers are accurate and it is currently investigating the problem. Lenovo released a statement on June 30 verifying there is a vulnerability in the ThinkPad's System Management Mode (SMM) BIOS that was introduced by one of its independent BIOS vendors. However, Lenovo hasn't specified what range of ThinkPad models likely are affected by the vulnerability. The UEFI is a current version of what used to be called the BIOS (basic input output system), which forms an interface between the computer hardware and the operating system, such as Microsoft Windows. The current practice is that the IBVs (independent BIOS vendors) work from reference code provided by the CPU manufacturer and then develops machine-specific code that provides the rest of the machine-specific interface. Normally, machines using similar processors and chipsets will use the same reference code. This means that while the vulnerability could have been introduced by the IBV, it's also possible it was introduced by Intel when it created the reference code.
The vulnerability was found by an independent security researcher Dmytro Oleksiuk, who published details on GitHub, a software development collaboration site. Oleksiuk said in his posting that the vulnerability, which he has named ThinkPwn, allows the running of arbitrary SMM code. This enables an attacker to disable Flash write protection and then allow malware infection of the platform firmware. This, in turn, allows an attacker to disable Secure Boot and Virtual Secure Mode on Windows 10.