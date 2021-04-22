from the unified-euthenasia-for-idiots dept.
Lenovo has released security updates for more than 100 laptop models to fix critical vulnerabilities that make it possible for advanced hackers to surreptitiously install malicious firmware that can be next to impossible to remove or, in some cases, to detect.
Three vulnerabilities affecting more than 1 million laptops can give hackers the ability to modify a computer's UEFI. Short for Unified Extensible Firmware Interface, the UEFI is the software that bridges a computer's device firmware with its operating system. As the first piece of software to run when virtually any modern machine is turned on, it's the initial link in the security chain. Because the UEFI resides in a flash chip on the motherboard, infections are difficult to detect and even harder to remove.
All three of the Lenovo vulnerabilities discovered by ESET require local access, meaning that the attacker must already have control over the vulnerable machine with unfettered privileges. The bar for that kind of access is high and would likely require exploiting one or more critical other vulnerabilities elsewhere that would already put a user at considerable risk.
Still, the vulnerabilities are serious because they can infect vulnerable laptops with malware that goes well beyond what's normally possible with more conventional malware. Lenovo has a list here of more than 100 models that are affected.
(Score: 0) by Anonymous Coward on Thursday April 21, @08:43PM (1 child)
Maybe it is my lack of domain knowledge or my rapid skimming, but when I took at the article, I wasn't able to understand what exploit was being addressed. How exactly does a person exploit this CVE? Do they need to insert a USB drive and reboot? Do they need to access via remote network? Something else?
(Score: 0) by Anonymous Coward on Thursday April 21, @09:18PM
You need physical access to the computer when it is booting and doing its BIOS thing.
(Score: 2) by Snotnose on Thursday April 21, @08:54PM (1 child)
If you read up on it the attacker needs physical access to your laptop. I dunno about you, but I don't see some Chinese national getting physical access to my laptop.
It's not like some Chinese dude with a hot chick behind him rings my doorbell and sez "I would like to introduce you to our lord and savior, and if you want to save your soul Crystal here will abolish the evil from your laptop. Can we come in, and do you have any lemonade? This will only take a few minutes".
(Score: 0) by Anonymous Coward on Thursday April 21, @09:26PM
Two words. Evil. Maid.