PC manufacturer Lenovo warns for a zero-day vulnerability in the UEFI driver of its ThinkPad laptops for which no security patch is available. The vulnerability allows an attacker to execute code through System Management Mode, a administration layer with many privileges that normally is only accessible by the CPU.
An attacker could use this to disable any security measures of the operating system such as Secure Boot and Virtual Secure Mode, as found in Windows 10.
The security researcher who discovered the vulnerability disclosed the details and source code for the attack without informing Lenovo first. Therefore no patch is available yet. Lenovo has stated that the affected code has not been developed by the company itself. The company has to wait for the BIOS vendor to release a patch.
Therefore the same code could also run on other computers of Lenovo making them vulnerable too. The computer manufacturer has stated to be investigating the case together with Intel and other BIOS vendors. The company is also working with several parties to develop a patch for the vulnerability, it’s however unknown when it will be ready.
It’s not the first time Lenovo reports about security issues with their computers, previously it became known their laptops shipped with adware, rootkits, insecure update software and many other issues.