If you are sick of hearing about how Lenovo Machines are riddled with security flaws, then this ain’t the story for you.
Security researcher Dymtro “Cr4sh” Oleksiuk claims to have uncovered a flaw in Lenovo machines that could let attackers circumvent Windows’ basic security protocols. According to his post on Github, the vulnerable firmware driver was copy-and-pasted from data supplied by Intel. His concern was that other manufacturers might have adopted the same code — with at least one HP Pavillion laptop from 2010 already identified as packing the flaw.
Lenovo issued a public response, saying that it tried to speak to Oleksiuk before he published the flaw to no avail. It corroborated the suggestion that the code was supplied by a third party working from common code that came from Intel. The firm doesn’t go so far as to assign blame to the chipmaker, but there’s enough to imply that there’s a whole heap of fault going that way. Lenovo added that it’s investigating the issue and will work with its partners to develop a fix as soon as possible.
There’s also a theory that the compromising piece of code might not have been created in error, but placed there as a backdoor. Oleksiuk mentions this just once, in passing, but the Register points out that Lenovo’s public statement leaves a few questions. For instance, the manufacturer says that it is “determining the identity of the original author,” because it “does not know its originally intended purpose.” Although we’d like to think that if the CIA (or its brethren) did write it, it had the sense not to leave any evidence of its involvement.