Lenovo scrambling to get a fix for BIOS vuln

The Register ^ | 4 Jul 2016 at 02:04 | Richard Chirgwin

[Utilizer]

Lenovo, and possibly other PC vendors, is exposed to a UEFI bug that can be exploited to disable firmware write-protection.

If the claims made by Dmytro Oleksiuk at Github are correct, an attacker can “disable flash write protection and infect platform firmware, disable Secure Boot, [and] bypass Virtual Secure Mode (Credential Guard, etc.) on Windows 10 Enterprise.”

The reason Oleksiuk believes other vendors are also vulnerable is that the buggy code is inherited from Intel. He writes that the SystemSmmRuntimeRt was copied from Intel reference code.

[Utilizer]

This is looking more and more of a major concern as time goes by...

[butlerweave]

buggy code is EVERYWHERE

[Utilizer]

Thank you, Savouir Faire, for that illuminative observation, and be sure to give Mal Le Muutte an extra pat on the head when next you see him. :~{p

[W.]

Oh, thanks, you two, ya made me laugh and now my face hurts...

[usconservative]

Is it possible to even buy a modern motherboard that doesn't have UEFI?

I don't think so.

[Utilizer]

Yeh, well, not smiling for years at a time can kind of atrophy the necessary muscles if you don’t take pains to work them once in awhile. :)

So beware the dread Hawaiian disease Lak-anukki!!!

Because even a Little Brain is a terrible thing to wast!

(Yes, I deliberately misspelled it. /s)

[Utilizer]

Is it possible to even buy a modern motherboard that doesn't have UEFI?

Certainly!

Why do you think apple computers and atari 2600s are so popular?

(ducks!)

[W.]

No worries about my grins, they're constant.

Laughter IS the best medicine, as has been copywrighted....

[Utilizer]

Oh, right: I misspelled the disease (according to some experts).

It’s spelled “lakanukki”, with the “u” pronounced as in “you”.

Sorry for the confusion. ;)

[usconservative]

Why do you think apple computers and atari 2600s are so popular?

SNORT! Hey, my Apple makes a fine doorstop, it's still useful!

[upchuck]

Ping.

[Utilizer]

Really? You pinged dayglored to this thread? I thought he was all about the ‘doze platform, and not involved with the chipset side of things.

Isn’t there another FReeper who is managing something I believe is called the Hardware Ping List? Or did dayglored take over that one as well?

Just wondering... :)

[upchuck]

AFAIK, Dayglored manages the windows-centric ping list and Swordmaker manages the Apple-centric list.

If there’s another FReeper whose list would be more appropriate for this thread, please let me know.

[dayglored]

>> Really? You pinged dayglored to this thread? I thought he was all about the ‘doze platform, and not involved with the chipset side of things. Isn’t there another FReeper who is managing something I believe is called the Hardware Ping List? Or did dayglored take over that one as well? Just wondering... :)

> AFAIK, Dayglored manages the windows-centric ping list and Swordmaker manages the Apple-centric list. If there’s another FReeper whose list would be more appropriate for this thread, please let me know.

Okay, here's how I believe it's laid out:

• Swordmaker runs the Mac/OSX/Apple list

• ThunderSleeps runs the Android/Google list

• ShadowAce runs the "Tech Ping" list, which focuses on Linux/Unix but covers computer/networking hardware and software in general

• Dayglored runs the Windows/Microsoft list

• All of us include some amount of computer/networking hardware and software topics.

• Really cool non-computer new technology often shows up on ShadowAce's Tech list.

There are no hard-and-fast boundaries or "territories", just areas of primary interest as above. These lists (and we FReepers who run them) cooperate in the sense that we all alert each other to threads that might be of interest to our respective list members.

For example, this thread would be appropriate for my Windows/Microsoft list because Lenovo machines are primary Windows-based, so this BIOS vulnerability affects people who run Windows on Lenovos. It would be appropriate for ShadowAce's Tech list because it's about BIOS software, and because Lenovos are often used to run Linux. It would likely be of lower interest to Swordmaker's list because Lenovo hardware rarely runs Apple software; same likely in the case of ThunderSleeps and the Android list.

So upchuck's ping to me was appropriate, and a ping to ShadowAce would also be appropriate. A ping to Swordmaker and/or ThunderSleeps is not "out of line" but they would (I think) be unlikely to turn that into a ping to their respective lists.

Note, chipset stuff is of interest to the lists whose members might have hardware that includes that chipset, even if it isn't a personal computer (e.g. a set-top box or other embedded processor system).

Also note:

ShadowAce suffered a very serious cycle accident a short time ago and is only posting occasionally (and in lowercase!). Please send up some prayers for his recovery, and for strength and peace of mind for both him and his wife.

[Utilizer]

Hey, stranger, good to know you were about and thanks for the pinglist references. Good to know.

A minor point, AFAIK ShadowAce was involved in a Biking accident (motorcycle), I believe a collision with an object of considerable weight at about 50mph, but he survived so good on him for that. Difficult for his wife as well, of course, but to paraphrase an old saying: “Any landing you can walk away from is a good landing”.

Same when a biker takes a tumble.

Also, no offence to any cycling enthusiasts out there, this is not meant to belittle your hobby at all. Just correcting the record.

[dayglored]

> ...AFAIK ShadowAce was involved in a Biking accident (motorcycle),...

Correct, I should have specified "motorcycle". In the decades I rode, I referred to my vehicle variously as "motorcycle", "cycle", and "bike", so I guess I'm a bit sloppy in that regard.

I had a 1981 3-cylinder (850cc) Yamaha 850xs Midnight Special:

I had a serious highway accident in which I shattered my right wrist and only the Grace of God saved me from being flattened, as I flipped over the handlebars and landed prone in the on-coming lane. The bike's considerable weight and high CG were fine when I was younger, but increasing peripheral neuropathy in my feet made it increasingly difficult to manage. I gave the bike away to a friend a couple years ago.

[Utilizer]

Mine looked quite a bit like this one. 1972 Harley-Davidson Sportster -with many custom features. :)

[upchuck]

Thank you.

[Darnright]

Here’s to a rapid and complete recovery!

[Swordmaker]

So upchuck's ping to me was appropriate, and a ping to ShadowAce would also be appropriate. A ping to Swordmaker and/or ThunderSleeps is not "out of line" but they would (I think) be unlikely to turn that into a ping to their respective lists.

Yes, I saw this thread, but for the reasons Dayglored outlined, I did not ping the Apple list.