Lenovo laptops hit by (another) gaping security vulnerability

News
By published

Other PCs may also be affected including HP models

Lenovo ThinkPad P70

Lenovo PCs have another critical vulnerability potentially exposing users to all manner of nastiness, and this flaw apparently isn't limited to Lenovo machines, either.

Security researcher Dymtro "Cr4sh" Oleksiuk first found the UEFI bug, which can be leveraged to disable firmware write protection, on a Lenovo machine (the zero-day exploit has been dubbed 'ThinkPwn').

Oleksiuk initially said it was present on all ThinkPad laptops he tested, observing: "Running of arbitrary System Management Mode code allows attacker to disable flash write protection and infect platform firmware, disable Secure Boot, bypass Virtual Secure Mode (Credential Guard, etc.) on Windows 10 Enterprise and do other evil things."

However, it later emerged that this flaw actually originates from reference code supplied by Intel, and so the researcher noted there was a "high possibility" that said vulnerable code may also be present in the firmware of other PC vendors.

Indeed, another source claimed the exploit affected his HP Pavilion laptop, and the vulnerable code was found in a number of motherboards from Gigabyte.

Industry-wide issue

As Engadget reports, Lenovo is now apparently investigating the issue and cooking up a fix, with the manufacturer posting an advisory which called the BIOS vulnerability an "industry-wide" issue – so we could still see further fallout from this.

Lenovo stated: "Lenovo is committed to the security of its products and is working with its IBVs and Intel to develop a fix that eliminates this vulnerability as rapidly as possible."

The company further observed: "The package of code with the SMM vulnerability was developed on top of a common code base provided to the IBV by Intel. Importantly, because Lenovo did not develop the vulnerable SMM code and is still in the process of determining the identity of the original author, it does not know its originally intended purpose."

The latter part of this statement has led to some speculation that rather than some sort of accidental vulnerability, this hole was actually left on purpose as some manner of backdoor.

Maybe we'll hear more on that as the investigation proceeds, but we wouldn't hold our breath.

TOPICS
Darren Allan

Darren is a freelancer writing news and features for TechRadar (and occasionally T3) across a broad range of computing topics including CPUs, GPUs, various other hardware, VPNs, antivirus and more. He has written about tech for the best part of three decades, and writes books in his spare time (his debut novel - 'I Know What You Did Last Supper' - was published by Hachette UK in 2013).

Latest in Pro
Microsoft
"Another pair of eyes" - Microsoft launches all-new Security Copilot Agents to give security teams the upper hand
Lock on Laptop Screen
Medusa ransomware is able to disable anti-malware tools, so be on your guard
AI quantization
What is AI quantization?
US flags
US government IT contracts set to be centralized in new Trump order
An abstract image of digital security.
Fake file converters are stealing info, pushing ransomware, FBI warns
Google Gemini AI
Gmail is adding a new Gemini AI tool to help smarten up your work emails
Latest in News
Disney Plus logo with popcorn
You can finally tell Disney+ to stop bugging you about that terrible Marvel show you regret starting
Girl wearing Meta Quest 3 headset interacting with a jungle playset
Latest Meta Quest 3 software beta teases a major design overhaul and VR screen sharing – and I need these updates now
Philips Hue
Philips Hue might be working on a video doorbell, and according to a new report, we just got our first look at it
Microsoft
"Another pair of eyes" - Microsoft launches all-new Security Copilot Agents to give security teams the upper hand
Hatch Restore 3 in Putty
You can finally start your day with The Office theme song, and I couldn't be more excited
Cassian Andor looking nervously over his shoulder in Andor season 2
New Andor season 2 trailer has got Star Wars fans asking the same question – and it includes an ominous call back to Rogue One's official teaser
More about pro
SDUNITED AX835-025FF mini PC

This mini PC with the incredible Strix Halo APU is yet another sign AMD may have given up on big brands for bleeding edge tech
Dell Pro Max with GB300

HP and Dell's latest Nvidia powered PCs are likely to be some of the most expensive workstations ever launched
The iPhone 16 Pro Max and Samsung Galaxy S25 Ultra

5 things I want from the iPhone 17 – or I’m out and back to Android
See more latest
Most Popular
Philips Hue
Philips Hue might be working on a video doorbell, and according to a new report, we just got our first look at it
SDUNITED AX835-025FF mini PC
This mini PC with the incredible Strix Halo APU is yet another sign AMD may have given up on big brands for bleeding edge tech
Disney Plus logo with popcorn
You can finally tell Disney+ to stop bugging you about that terrible Marvel show you regret starting
Girl wearing Meta Quest 3 headset interacting with a jungle playset
Latest Meta Quest 3 software beta teases a major design overhaul and VR screen sharing – and I need these updates now
Hatch Restore 3 in Putty
You can finally start your day with The Office theme song, and I couldn't be more excited
Dell Pro Max with GB300
HP and Dell's latest Nvidia powered PCs are likely to be some of the most expensive workstations ever launched
Shape of Russia filled with Russian flag-colored internet codes on a black hacking background
A new wave of blocks in Russia targets VPN apps and Cloudflare subnets
An abstract image of digital security.
Fake file converters are stealing info, pushing ransomware, FBI warns
Microsoft
"Another pair of eyes" - Microsoft launches all-new Security Copilot Agents to give security teams the upper hand
Ncuti Gatwa as The Fifteenth Doctor in Doctor Who
Disney+ drops new trailer for Doctor Who season 2 that promises an epic adventure across time and space