Lenovo Patches BIOS Vulnerabilities Affecting These 25 Laptop Models, Update ASAP
Lenovo has been in the computer game for some time. In 2005 it purchased IBM's personal computer line that held the prefix moniker "Think," such as ThinkPad and ThinkCentre. It has since expanded the product offering to include much more, such as ThinkBooks, the Yoga series, and the Legion lineup, in addition to phones, servers, and way more. That doesn't mean the Hong Kong company hasn't faced issues, though, and apparently there's a pretty nasty one that Lenovo is rolling out a patch for right now.
The security flaw was reported to Lenovo by the Slovakian security software developer and researcher ESET. Apparently, in several models of Lenovo laptops, the UEFI firmware allows for disabling UEFI Secure Boot or restoring factory default Secure Boot databases from within the operating system.
Now, if you have access to the BIOS, these are features and functions that can be done manually, but these are not something that should be accessible through the operating system. In fact, ESET points out that this vulnerability grants access to bootloaders, which can be significantly more dangerous to your computer and its security, at least if you aren't doing it on purpose.
The ESET team goes on to say in its Twitter thread that affected devices include several Yoga, ThinkPad, and IdeaPad laptops. However, in the same thread the company also points out that most devices within the Lenovo Support Window have had patches rolled out.
Consumers should be made aware, though. As this is a BIOS update, it's extremely unlikely that they will get this via an operating system update. So Windows ssers are encouraged to either use the Lenovo Vantage software included with their device, or download the new BIOS manually (either way, be sure to back up any important data first).
Image of Lenovo ThinkBook
Lenovo has also issued a support statement and a complete listing of all affected models as well as links to updates. We at HotHardware often highly encourage keeping all of your devices and components as up to date as possible to ensure reduced risk of security issues, and this is definitely one we will advise people to update to.