When your operating system has a security vulnerability, you can patch it. When your BIOS — the basic input/output system controlling your computer's startup process — has a security vulnerability, fixing it is much more challenging.
Lenovo last week confirmed a potentially disastrous BIOS flaw that affects a wide range of Intel-based Lenovo laptops, including possibly all of the popular ThinkPad line, and may even extend to other computer manufacturers. A crafty cybercriminal could have a field day with this vulnerability.
Information about the flaw comes from an independent security researcher Dmytro Oleksiuk, who posted his findings on GitHub last week. Lenovo did not seem happy about Oleksiuk posting the information before the company itself could, claiming "several unsuccessful attempts to collaborate with the researcher in advance of his publication."
Either way, the online cat is out of the digital bag, and it's bad news no matter how you slice it. Oleksiuk theorizes that a malicious hacker with access to the flaw could run arbitrary code, disable system-wide protections, install fake firmware and bypass authorization credentials on ThinkPads set up to run in an business, or "enterprise," configuration. (You could do these to home machines as well, although it probably wouldn't be worth the effort involved.)
Lenovo confirmed that the flaw is real, but insists that the company did not write the wayward code. Rather, it came from one of its independent BIOS vendors (IBVs), or third-party provider of BIOS software, although the company did not specify which one. Lenovo is currently trying to divine "the original purpose of the code."
Here's where the bad news gets worse: Lenovo "works with the industry's three largest IBVs," meaning that there's a good chance that non-Lenovo machines can fall prey to this flaw as well. Indeed, one of Oleksiuk's followers said he had confirmed the presence of the flaw in an HP laptop.
There's no telling how far back the vulnerability goes, although Oleksiuk claims to have found it in a ThinkPad X220 from 2011. Newer machines like the T450 possess it as well, so the malady has apparently not improved over time.
Until Lenovo addresses the root cause of the BIOS flaw, there's no fix available, and everyday users can't do anything to protect themselves. There's no evidence that cybercriminals have exploited the flaw in the wild, so there may not be cause for alarm. On the other hand, now that Oleksiuk has released the details, an enterprising malefactor might try to put that information to good (or, more accurately, bad) use.