2 min

On Tuesday, Lenovo announced security patches for more than 100 laptop models to address significant vulnerabilities that allow sophisticated hackers to install malicious software that is nearly hard to delete or detect in some circumstances.

Hackers may be able to change a computer’s UEFI by exploiting three flaws that impact over 1 million laptops. The UEFI, which stands for Unified Extensible Firmware Interface, is the program that connects a computer’s device firmware to its operating system.

It is the first link in the security chain, as it is the first piece of software to start when practically any modern system is switched on.

Patches should be applied

Infections are difficult to detect and much harder to eradicate since the UEFI is stored on a flash chip on the motherboard.

CVE-2021-3971 and CVE-2021-3972 are two vulnerabilities in UEFI firmware drivers that are exclusively used during the production process of Lenovo consumer laptops. The drivers were mistakenly included in the production BIOS images without being properly disabled by Lenovo developers.

Hackers can use these vulnerable drivers to disable security features such as UEFI secure boot, BIOS control register bits, and protected range register, which are built into the serial peripheral interface (SPI) and meant to keep out unauthorized firmware modifications.

Don’t panic, yet

The three flaws need local access, which means the attacker must already have complete control over the affected laptop. The threshold for that kind of access is high, and it would require exploiting one or more additional significant flaws elsewhere, which would already put a user in danger.

Nonetheless, the flaws are dangerous because they allow malware to infect susceptible devices beyond what is generally feasible with more traditional ransomware. Lenovo has compiled a list of over 100 models that are impacted.