Lenovo seems to have run into trouble again as a security researcher claims that he has discovered a critical security flaw in ThinkPads that could potentially enable hackers to dodge the basic security protocols for Windows devices.
According to a post by Dmytro Oleksiuk, the security researcher who also goes by the moniker "Cr4sh" on GitHub, the flawed and susceptible firmware driver - which allows random System Management Mode (SMM) code execution - was apparently copied and pasted directly via Intel.
"Running of arbitrary System Management Mode code allows attacker to disable flash write protection and infect platform firmware, disable Secure Boot, bypass Virtual Secure Mode (Credential Guard, etc.) on Windows 10 Enterprise and do other evil things," noted Oleksiuk.
The researcher also disclosed that the flaw was present in the complete ThinkPad series of laptops. The ones he has checked include the T450s, which has the current firmware versions. The oldest model he was able to check was the X220.
Oleksiuk is of the opinion that Lenovo's ThinkPad series laptops are not the only ones that are flawed. Windows-powered devices from other OEMs - those that have the same vulnerable code from Intel - are also affected by the same zero-day vulnerability. The researcher also lists the HP Pavilion laptop - the 2010 version - as also suffering from the security flaw.
Lenovo has responded to the security flaw issue affecting its ThinkPads and revealed that it attempted to converse with Oleksiuk before the researcher published the compromised code for the security flaw, but met with failure.
The company validated that the notion that the critical security flaw has its origins in the code supplied by Intel was correct. However, it did not completely blame Intel for the SMM code issue.
The statement from Lenovo appears to hint at a possibility of the critical security flaw existing as a backdoor.
"Lenovo is engaging all of its IBVs [independent BIOS vendors] as well as Intel to identify or rule out any additional instances of the vulnerability's presence in the BIOS provided to Lenovo by other IBVs, as well as the original purpose of the vulnerable code," stated the company.
To which Oleksiuk had the following response on Twitter:
Lenovo is blaming it’s IBV, so, it’s 100% that there’s others OEM’s that have this vuln in their products
— Dmytro Oleksiuk (@d_olex) July 1, 2016
Lenovo has is currently investigating the matter and will work in tandem with its partners to come up with a fix for the SMM code issue as swiftly as possible.
