Menu
Up to 100 Lenovo laptops are a security risk — what now?

Up to 100 Lenovo laptops are a security risk — what now?

Several Lenovo laptops won't be patched, as they're nearing the end of support.

Credit: Dreamstime

Security firm ESET has found several UEFI vulnerabilities in a wide swathe of over 100 different Lenovo consumer laptop models, which can be patched by updating the notebook's firmware.

The full list of affected laptops includes the Ideapad-3, the Legion 5 Pro-16ACH6 H, and the Yoga Slim 9-14ITL0. ESET discovered the vulnerability late last year. Lenovo then worked to develop a patch and released it on the manufacturer's website. ESET didn't say whether these vulnerabilities were actively being exploited in the wild.

Specifically, the three different vulnerabilities would allow an attacker to modify either the protected boot settings or the firmware itself, a change that would survive the reinstallation of the operating system, ESET said. UEFI threats can be extremely stealthy and dangerous, the firm wrote. 

They are executed early in the boot process, before transferring control to the operating system, which means that they can bypass almost all security measures and mitigations higher in the stack that could prevent their OS payloads from being executed.

A third vulnerability in the SMI Handler code would allow an attacker with local access and elevated privileges to execute arbitrary code, giving them control of the machine.

To solve the problem, Lenovo recommends that users navigate to the support site (support.lenovo.com), which resolves to pcsupport.lenovo.com. The laptop manufacturer has addressed the vulnerability with a specific Web page devoted to it, where you can find this as well as supplementary information.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags Lenovo

Events

EDGE 2024

Register your interest now for EDGE 2024!

Featured

Slideshows

How MSPs can capitalise on integrating AI into existing services

How MSPs can capitalise on integrating AI into existing services

​Given the pace of change, scale of digitalisation and evolution of generative AI, partners must get ahead of the trends to capture the best use of innovative AI solutions to develop new service opportunities. For MSPs, integrating AI capabilities into existing service portfolios can unlock enhancements in key areas including managed hosting, cloud computing and data centre management. This exclusive Reseller News roundtable in association with rhipe, a Crayon company and VMware, focused on how partners can integrate generative AI solutions into existing service offerings and unlocking new revenue streams.

How MSPs can capitalise on integrating AI into existing services
Access4 holds inaugural A/NZ Annual Conference

Access4 holds inaugural A/NZ Annual Conference

​Access4 held its inaugural Annual Conference in Port Douglass, Queensland, for Australia and New Zealand from 9-11 October, hosting partners from across the region with presentations on Access4 product updates, its 2023 Partner of the Year awards and more.

Access4 holds inaugural A/NZ Annual Conference
Show Comments