
Lenovo fixed flaws threat actors could have used to disable UEFI Secure Boot, a system guarding against malicious code execution, in Lenovo Notebooks.
Lenovo, the Chinese computer maker, fixed several vulnerabilities in the UEFI firmware affecting several of its popular laptop models such as Yoga, IdeaPad, and ThinkBook.
Researchers at cybersecurity company ESET discovered the flaws, two of which were deemed high-severity, and alerted the computer maker. The vulnerabilities would allow threat actors to deactivate UEFI Secure Boot if exploited.
UEFI, short for Unified Extensible Firmware Interface, is used to kickstart the hardware of a computer before loading the operating system. The Secure Boot function ensures that no malicious code is loaded during the device‘s boot process.
Accessing the target system before the operating system (OS) boots have severe security implications, as attackers can bypass virtually all security protections that rely on the OS and evade destruction even if the OS is reinstalled.
According to researchers at ESET, the flaws don‘t come from the code but rather from a production mistake. The affected drivers, ESET claims, were meant only to be used during the manufacturing process. However, Lenovo “mistakenly included” affected drivers in the production.
Researchers claim that the vulnerability can be exploited by creating NVRAM (non-volatile random-access memory) variables. However, Lenovo fixed the vulnerabilities using a BIOS fix.
“For those using one of the affected devices, we highly recommend updating to the latest firmware version,” researchers said.
Lenovo published the list of affected devices and offered mitigation strategies for users to fix the flaws.
Earlier this year, ESET discovered that over 70 models of Lenovo notebook devices were fitted with vulnerable UEFI firmware. Buffer overflow vulnerabilities in the UEFI firmware allowed attackers to carry out arbitrary code execution (ACE) attacks and disable essential security features.
More from Cybernews:
Russian hacktivist ‘noise’ may hide real dangers
Hackers were interested in Australia long before Medibank and Optus breaches
In elections, it’s easier to hack a human than a device
Bitcoin dominance less than three decades away, says online gaming entrepreneur
LG unveils stretchable display that could soon be everywhere
Subscribe to our newsletter
Your email address will not be published. Required fields are marked