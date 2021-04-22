Lenovo has released security updates for more than 100 laptop models to fix critical vulnerabilities that make it possible for advanced hackers to surreptitiously install malicious firmware that can be next to impossible to remove or, in some cases, to detect.

Three vulnerabilities affecting more than 1 million laptops can give hackers the ability to modify a computer's UEFI. Short for Unified Extensible Firmware Interface, the UEFI is the software that bridges a computer's device firmware with its operating system. As the first piece of software to run when virtually any modern machine is turned on, it's the initial link in the security chain. Because the UEFI resides in a flash chip on the motherboard, infections are difficult to detect and even harder to remove.

[...]

All three of the Lenovo vulnerabilities discovered by ESET require local access, meaning that the attacker must already have control over the vulnerable machine with unfettered privileges. The bar for that kind of access is high and would likely require exploiting one or more critical other vulnerabilities elsewhere that would already put a user at considerable risk.

Still, the vulnerabilities are serious because they can infect vulnerable laptops with malware that goes well beyond what's normally possible with more conventional malware. Lenovo has a list here of more than 100 models that are affected.