Lenovo has released security updates for more than 100 laptop models to fix critical vulnerabilities that make it possible for advanced hackers to surreptitiously install malicious firmware that can be next to impossible to remove or, in some cases, to detect.
Three vulnerabilities affecting more than 1 million laptops can give hackers the ability to modify a computer's UEFI. Short for Unified Extensible Firmware Interface, the UEFI is the software that bridges a computer's device firmware with its operating system. As the first piece of software to run when virtually any modern machine is turned on, it's the initial link in the security chain. Because the UEFI resides in a flash chip on the motherboard, infections are difficult to detect and even harder to remove.
[...]
All three of the Lenovo vulnerabilities discovered by ESET require local access, meaning that the attacker must already have control over the vulnerable machine with unfettered privileges. The bar for that kind of access is high and would likely require exploiting one or more critical other vulnerabilities elsewhere that would already put a user at considerable risk.Still, the vulnerabilities are serious because they can infect vulnerable laptops with malware that goes well beyond what's normally possible with more conventional malware. Lenovo has a list here of more than 100 models that are affected.
(Score: 0) by Anonymous Coward on Thursday April 21 2022, @08:43PM (2 children)
Maybe it is my lack of domain knowledge or my rapid skimming, but when I took at the article, I wasn't able to understand what exploit was being addressed. How exactly does a person exploit this CVE? Do they need to insert a USB drive and reboot? Do they need to access via remote network? Something else?
(Score: 0) by Anonymous Coward on Thursday April 21 2022, @09:18PM
You need physical access to the computer when it is booting and doing its BIOS thing.
(Score: 0) by Anonymous Coward on Thursday April 21 2022, @10:12PM
Booting Windoze?
(Score: 2, Troll) by Snotnose on Thursday April 21 2022, @08:54PM (8 children)
If you read up on it the attacker needs physical access to your laptop. I dunno about you, but I don't see some Chinese national getting physical access to my laptop.
It's not like some Chinese dude with a hot chick behind him rings my doorbell and sez "I would like to introduce you to our lord and savior, and if you want to save your soul Crystal here will abolish the evil from your laptop. Can we come in, and do you have any lemonade? This will only take a few minutes".
I just passed a drug test. My dealer has some explaining to do.
(Score: 1, Informative) by Anonymous Coward on Thursday April 21 2022, @09:26PM
Two words. Evil. Maid.
(Score: 2) by PinkyGigglebrain on Friday April 22 2022, @12:48AM
Your right. You don't know about me.
Considering who I have worked for and others I have done contract jobs for this is relevant to me.
By your own admission this article obviously doesn't concern you so why are you even commenting?
"Beware those who would deny you Knowledge, For in their hearts they dream themselves your Master."
(Score: 3, Touché) by https on Friday April 22 2022, @03:08AM
Customs agent.
Offended and laughing about it.
(Score: 0) by Anonymous Coward on Friday April 22 2022, @04:39AM
(Score: 2) by Freeman on Friday April 22 2022, @01:35PM
It was interesting enough to note in the summary as well:
Still, you want to patch that kind of thing ASAP.
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 2) by PiMuNu on Saturday April 23 2022, @06:27PM
IIRC Lenovo is a Chinese company, so the Chinese national was already there (but presumably US/Europe is up to the same tricks)
(Score: 2) by Snotnose on Saturday April 23 2022, @10:22PM (1 child)
I'm curious. Who modded me troll, and why? The attacker needs physical access. I don't see a lot of ways attackers can get physical access to many laptops, especially if they're an ocean away.
I don't really give a shit, just curious on your thinking.
I just passed a drug test. My dealer has some explaining to do.
(Score: 2) by Common Joe on Monday April 25 2022, @03:15AM
I did not mod you troll, but If I had to guess, it had something to do with specifically mentioning "Chinese national" when it could be anyone from anywhere initiating the evil maid attack.
[Shrug] In this case, I don't particularly agree with your comment (as the Chinese can put hidden backdoors into a Lenovo before it leaves the manufacturer), but I wouldn't consider it trolling either.
(Score: 4, Insightful) by Rich on Friday April 22 2022, @01:44AM
Can we have the bootloader in a PROM, please? Socketed and relying on a voltage that's not present in that socket for programming. Thank you.