Header Ads

Another Critical security flaw found in Lenovo Computer

Security researcher Dymtro "Cr4sh" Oleksiuk claims to have uncovered a flaw in Lenovo machines that could let attackers circumvent Windows' basic security protocols. According to his post on Github, the vulnerable firmware driver was copy-and-pasted from data supplied by Intel or AMD. His concern was that other manufacturers might have adopted the same code -- with at least one HP Pavillion laptop from 2010 already identified as packing the flaw.

Lenovo issued a public response, saying that it tried to speak to Oleksiuk before he published the flaw to no avail. It corroborated the suggestion that the code was supplied by a third party working from common code that came from Intel. The firm doesn't go so far as to assign blame to the chipmaker, but there's enough to imply that there's a whole heap of fault going that way. 

Lenovo added that it's investigating the issue and will work with its partners to develop a fix as soon as possible.

Lenovo has actively undertaken its own investigation, which remains ongoing. At this point, Lenovo knows that vulnerable SMM code was provided to Lenovo by at least one of our Independent BIOS Vendors (IBVs). Independent BIOS vendors (IBVs) are software development firms that specialize in developing the customized BIOS firmware that is loaded into the PCs of original equipment manufacturers, including Lenovo.  Following industry standard practice, IBVs start with the common code base created by chip vendors, such as Intel or AMD, and add additional layers of code that are specifically designed to work with a particular computer. Lenovo currently works with the industry’s three largest IBVs.  

There's also a theory that the compromising piece of code might not have been created in error, but placed there as a backdoor. Oleksiuk mentions this just once, in passing, but the Register points out that Lenovo's public statement leaves a few questions. For instance, the manufacturer says that it is "determining the identity of the original author," because it "does not know its originally intended purpose." Although we'd like to think that if the CIA (or its brethren) did write it, it had the sense not to leave any evidence of its involvement.

Source: The Register, Github, Lenovo,

No comments

blogmytuts. Powered by Blogger.