Enlarge / That is the 14-inch variant of the Yoga Slim 9i, with leather-based end. (credit score: Lenovo)
Lenovo has launched safety updates for greater than 100 laptop computer fashions to repair crucial vulnerabilities that make it doable for superior hackers to surreptitiously set up malicious firmware that may be subsequent to unimaginable to take away or, in some instances, to detect.
Three vulnerabilities affecting greater than 1 million laptops may give hackers the power to change a pc’s UEFI. Brief for Unified Extensible Firmware Interface, the UEFI is the software program that bridges a pc’s gadget firmware with its working system. As the primary piece of software program to run when just about any fashionable machine is turned on, it’s the preliminary hyperlink within the safety chain. As a result of the UEFI resides in a flash chip on the motherboard, infections are tough to detect and even more durable to take away.
Oh, no
Two of the vulnerabilities—tracked as CVE-2021-3971 and CVE-2021-3972—reside in UEFI firmware drivers meant to be used solely in the course of the manufacturing means of Lenovo client notebooks. Lenovo engineers inadvertently included the drivers within the manufacturing BIOS photos with out being correctly deactivated. Hackers can exploit these buggy drivers to disable protections, together with UEFI safe boot, BIOS management register bits, and guarded vary register, that are baked into the serial peripheral interface (SPI) and designed to forestall unauthorized modifications to the firmware it runs.
Learn 7 remaining paragraphs | Feedback
