Firmware Flaw Affects Lenovo ThinkPads, Other PC Makers’ Hardware

Wayne Rash,

ANALYSIS: New zero-day vulnerability may also affect computers from other makers that used similar Intel UEFI reference code to create their BIOS firmware

For the ThinkPwn bug, the primary means of delivery needs to be a USB memory stick. Then, the computer needs to be booted from that drive before any malware can be initiated.

Analyst Jack Gold said that the first thing that business users should do is find out whether their anti-malware products will detect software that’s trying to perform an exploit using the vulnerability. However, Gold said that because any exploit would be running in the firmware, he suspects that current anti-malware apps would not find it.

Gold also said that because any exploit would probably need to be installed on a machine via physical access to its USB port, it’s not an easy thing to do. His advice to IT managers, “Be mindful of this, stay up to date, but I wouldn’t consider this a huge risk.”

ThinkPwn

lenovo yoga 260But that doesn’t mean that there’s no risk at all. Oleksiuk has said in some of his public statements that he believes that it would be possible to create a malware attack that would take advantage of the ThinkPwn vulnerability. But even if the exploit could be spread through malware, that doesn’t necessarily raise the risk much.

The reason the risk is limited is because the UEFI is written specifically for each type of machine, and for an exploit to work, it would have to target this specific type as well. For this reason, a Lenovo exploit wouldn’t work on a HP laptop, even if they had the same vulnerability.

What should the computer makers do about this vulnerability? The obvious answer is that they can ask their BIOS vendors to create a new UEFI package using Intel reference code from after the vulnerability was fixed and then distribute a BIOS update.

But of course, just because it’s easy to say that a BIOS update would solve the problem, issuing such an update can be very complex to current hardware owners. Worse, trusting individual owners to update the BIOS in their computers is a dangerous proposition. Done wrong, the result could be to prevent the computer from ever working again.

Of more concern is Oleksiuk’s suggestion that the ThinkPwn exploit applied in malware. While such a malware attack would of necessity be very difficult because it would require the  malware to detect the type of machine it was infecting, such sophisticated malware has already been created to attack other types of vulnerabilities.  This means that creating such malware to attack machines with different UEFI code is possible.

While there’s no reason to panic about the possibility of malware aimed at your computers’ BIOS, you also can’t afford to drop your guard. Instead, it’s important to keep in touch with Lenovo or whoever builds your computers and find out if there is a vulnerability. If there is you need to fix it as soon as possible.

Originally published on eWeek

Quiz: What do you know about Windows 10?