Security News
The UEFI firmware used in several laptops made by Lenovo is vulnerable to three buffer overflow vulnerabilities that could enable attackers to hijack the startup routine of Windows installations. Lenovo has issued a security advisory disclosing three medium severity vulnerabilities tracked as CVE-2022-1890, CVE-2022-1891, and CVE-2022-1892.
Three high-impact Unified Extensible Firmware Interface security vulnerabilities have been discovered impacting various Lenovo consumer laptop models, enabling malicious actors to deploy and execute firmware implants on the affected devices. Tracked as CVE-2021-3970, CVE-2021-3971, and CVE-2021-3972, the latter two "Affect firmware drivers originally meant to be used only during the manufacturing process of Lenovo consumer notebooks," ESET researcher Martin Smolár said in a report published today.
Got a Lenovo laptop? You might need to do a swift bit of patching judging by the latest set of vulnerabilities uncovered by security researchers at ESET. Three vulnerabilities were reported today: CVE-2021-3970, CVE-2021-3971, and CVE-2021-3972."UEFI threats can be extremely stealthy and dangerous," said ESET researcher Martin Smolár, who discovered the vulnerabilities.
Lenovo has published a security advisory on vulnerabilities that impact its Unified Extensible Firmware Interface loaded on at least 100 of its laptop models. A total of three security issues were discovered, two of them allowing an attacker to disable the protection for the SPI flash memory chip where the UEFI firmware is stored and to turn off the UEFI Secure Boot feature, which ensures the system loads at boot time only code trusted by the Original Equipment Manufacturer.
Lenovo has published a security advisory on vulnerabilities that impact its Unified Extensible Firmware Interface loaded on at least 100 of its laptop models. A total of three security issues were discovered, two of them allowing an attacker to disable the protection for the SPI flash memory chip where the UEFI firmware is stored and to turn off the UEFI Secure Boot feature, which ensures the system loads at boot time only code trusted by the Original Equipment Manufacturer.
Lenovo at CES announced new ThinkPads with AMD's Ryzen chips, and the laptops will ship without Pluton turned on. "Pluton will be disabled by default on 2022 Lenovo ThinkPad platforms. Specifically the Z13, Z16, T14, T16, T14s, P16s and X13 using AMD 6000-series processors. Customers will have the ability to enable Pluton themselves," a Lenovo spokesperson told The Register.
Lenovo laptops, including ThinkPad and Yoga models, are vulnerable to a privilege elevation bug in the ImControllerService service allowing attackers to execute commands with admin privileges. The flaws are tracked as CVE-2021-3922 and CVE-2021-3969 and affect the ImControllerService component of all Lenovo System Interface Foundation versions below 1.1.20.3.
"We see a bright future ahead," he said in a press release, "One with more solutions for hybrid work models and a focus on technology as a force for good." Without further ado, here are Rossi's top tech predictions for 2022.1.
NortonLifeLock announced that the Norton Security Universal Windows Platform app will be pre-installed on select new Lenovo laptop PCs. Expanding its collaboration of more than two decades, NortonLifeLock will help protect Lenovo's always-on, always-connected laptops, including the Yoga 5G, IdeaPad 5G and IdeaPad 4G LTE, bringing a trusted level of security to consumers. Last year, Lenovo paved the way for 5G-connected laptops with the introduction of the innovative Yoga 5G. Now, with the release of the mainstream IdeaPad 5G and IdeaPad 4G LTE models earlier this year, Lenovo expands consumers' options and access to the freedom of all-day, anywhere connectivity.
Lenovo this week published information on three vulnerabilities that impact the BIOS of two of its desktop products and approximately 60 laptop and notebook models. Tracked as CVE-2021-3452 and affecting tens of ThinkPad models, the first of the bugs impacts the system shutdown SMI callback function and could be abused by a local attacker that already has elevated privileges on the device to execute arbitrary code.