The IT Nerd

According to researchers at ESET have discovered that over 100 Lenovo laptop models have bugs in their UEFI BIOS firmware that allow threat actors to disable the protection for the SPI flash memory chip where the UEFI firmware is stored and to turn off the UEFI Secure Boot feature, which ensures the system loads at boot time only code trusted by the Original Equipment Manufacturer:

ESET researchers have discovered and analyzed three vulnerabilities affecting various Lenovo consumer laptop models. The first two of these vulnerabilities – CVE-2021-3971, CVE-2021-3972 – affect UEFI firmware drivers originally meant to be used only during the manufacturing process of Lenovo consumer notebooks. Unfortunately, they were mistakenly included also in the production BIOS images without being properly deactivated. These affected firmware drivers can be activated by attacker to directly disable SPI flash protections (BIOS Control Register bits and Protected Range registers) or the UEFI Secure Boot feature from a privileged user-mode process during OS runtime. It means that exploitation of these vulnerabilities would allow attackers to deploy and successfully execute SPI flash or ESP implants, like LoJax or our latest UEFI malware discovery ESPecter, on the affected devices.

This was reported to Lenovo and a security advisory has been put out with the following advice:

Update system firmware to the version (or newer) indicated for your model in the Product Impact section.

The list isn’t small as it has over 100 notebooks on it. But if your Lenovo notebook is on that list, you need to update your BIOS firmware ASAP because now that this is out there, threat actors will be trying to pwn all they can before updates are widely installed.

You can’t make this stuff up.

Lenovo is recalling their top of the line Thinkpad Carbon X1 laptops. The reason? If they were manufactured between December 2016 and October 2017, they may have a screw that wasn’t properly tightened during the assembly process. That loose screw could potentially damage the battery pack’s lithium-ion polymer layer and cause a short. Which in turn can cause a fire, which of course is bad.

The US Consumer Product Safety Commission has details on the recall here:

#Recall: @lenovoUS ThinkPad laptops can overheat, posing a fire hazard. CONTACT: https://t.co/0znm2vATgJ or 800-426-7378. Full recall notice: https://t.co/JP6gcpAv4L pic.twitter.com/qgeeya1ucx

— US Consumer Product Safety Commission (@USCPSC) February 6, 2018

The recall only currently covers the US and Canada as far as I can tell. So if you own one of these laptops, click on the links in the Tweet above and get the details on how to get this sorted.

Needless to say, this is one hell of a screw up.

The last time I wrote about the Lenovo Superfish spyware, the FTC had slapped them on the wrist with a $3.5 million fine and some other stuff that I questioned if would deter similar behavior in the future. That changed with this settlement [WARNING: PDF] which forces Lenovo to do the following:

• Not install any bloatware/adware/spyware/evil stuff without explicit user permission.
• Open themselves up to third-party auditing for the next 20 years.
• Create a “comprehensive” software security program to protect the data it has collected on customers as well as fix any security risks it identifies on its laptops and the apps they are running through the program.

This is actually good. Seeing as Lenovo pretty much installed spyware on laptops, the fact that they’re under this much scrutiny should send a message that this sort of behavior is not acceptable.

You might recall that laptop maker Lenovo was caught installing adware that put its customers at risk a couple of years ago. After it kind of, sort of promised to get rid of the adware, and having had third parties prove that it was dangerous, the company admitted that the adware was dangerous. Though I guess that being sued had something to do with that. Well, the FTC looked into the matter and decided to dole out some punishment. Here’s what Lenovo got:

As part of the settlement with the FTC, Lenovo is prohibited from misrepresenting any features of software preloaded on laptops that will inject advertising into consumers’ Internet browsing sessions or transmit sensitive consumer information to third parties. The company must also get consumers’ affirmative consent before pre-installing this type of software. In addition, the company is required for 20 years to implement a comprehensive software security program for most consumer software preloaded on its laptops. The security program will also be subject to third-party audits.

Oh yeah, they don’t have to admit that they did anything wrong and also cut a cheque for $3.5 million. Seeing as the company says that they pulled in $535 million last fiscal year, this is a slap on the wrist and will do little to deter others from pulling a stunt like this. Which means that consumers are not protected from companies that put profit over the safety of its customers.

Many PC vendors have a serious problem on their hands. A security researcher has found a UEFI BIOS bug that can be exploited to disable firmware write-protection. Meaning that anyone who is smart enough to exploit what Dmytro Oleksiuk posted on Github can do this:

disable flash write protection and infect platform firmware, disable Secure Boot, [and] bypass Virtual Secure Mode (Credential Guard, etc.) on Windows 10 Enterprise.

Meaning, they can put their own code into the BIOS firmware before the Windows 10 OS boots and pwn the computer completely. That’s just delightful.

Lenovo is at the top of this list and they have an advisory out that the vulnerable came from an upstream BIOS vendor. That means that it is  likely that other vendors getting BIOS software from the same company will also be vulnerable. Not only that, there’s this little tidbit:

The package of code with the SMM vulnerability was developed on top of a common code base provided to the IBV by Intel. Importantly, because Lenovo did not develop the vulnerable SMM codeand is still in the process of determining the identity of the original author, it does not know its originally intended purpose. But, as part of the ongoing investigation, Lenovo is engaging all of its IBVs as well as Intel to identify or rule out any additional instances of the vulnerability’s presence in the BIOS provided to Lenovo by other IBVs, as well as the original purpose of the vulnerable code.

That paragraph gives one the impression that this was an intentional back door that was created for who knows what purpose. That’s not good and you can be sure that people at PC manufacturers world wide are scrambling to make sure that computers that they have sold and are currently selling do not get pwned.

Oh, in case you were wondering. There currently is no fix for this. Lovely.

Frequent readers of this blog will know that I am no fan of Lenovo because of how they do business and their frequent security “issues”, which both inspire me to never buy their products. Well, the latter has happened again. Lenovo is warning users to uninstall its Accelerator support application after it was revealed that it can be a victim of a man in the middle attack:

A vulnerability was identified in the Lenovo Accelerator Application software which could lead to exploitation by an attacker with man-in-the-middle capabilities. The vulnerability resides within the update mechanism where a Lenovo server is queried to identify if application updates are available.

The Lenovo Accelerator Application is used to speed up the launch of Lenovo applications and was installed in some notebook and desktop systems preloaded with the Windows 10 operating system.

Lovely. Given this and their past record, it seems that if you really must buy Lenovo hardware, it is in your best interest format the hard drive and install your own copy of Windows. Clearly there’s enough security holes in their products that you may not have any other choice.

Lenovo and their less than stellar security record strikes again.

This time it’s their ShareIT app that could be exploited by anyone who can guess that ‘12345678’ could be a password. Which would be everyone seeing as that’s the most popular and least secure password around. Lenovo let this slip via a security advisory. Remember, this is the firm that brought you the Superfish gong show. So you know that security is not top of mind over at Lenovo HQ.

Lenovo has released an updated version of the app. But given their track record, one wonders what that will bring to users in the way of potential security issues.

I have to start this story off with these three letters: WTF

Lenovo, who has done lots of stupid stuff over the last little while is doing more stupid stuff. Via Computerworld, here’s the story on their latest bit of stupidity. Michael Horowitz reports that a refurbished ThinkPad he bought includes Lenovo spyware under the guise of “Customer Feedback”. After some digging around, he found the following in a support document: “Lenovo says here that all ThinkPad, ThinkCentre and ThinkStation PCs, running Windows 7 and 8.1, may upload ‘non-personal and non-identifying information about Lenovo software application usage’ to 112.2o7.net.”

You’ve got to be kidding. The application is apparently made by a company called Omniture. Here’s the details from the Computerworld article:

According to Wikipedia, Omniture is an online marketing and web analytics firm, and SiteCatalyst (since renamed) is their software as a service application for client-side web analytics.

So, while there may not be extra ads on ThinkPads, there is some monitoring and tracking.

Why do they do this? For a few extra bucks? Are they spying for China seeing as they’re a Chinese company? What’s the deal here? I’ve said it before and I will say it again, this sort of stupidity by Lenovo is why I don’t recommend their computers to my clients. Ever. You should avoid them like the plague as well as this company don’t deserve your money.

You know, after this incident where Lenovo made a pricing “mistake” and this incident where Lenovo shipped computers with malware, my opinion of the company isn’t good. It’s taken another dip today when I read this story about Lenovo apparently shipping computers to customers knowing that they were defective:

When the Lenovo LaVie Z superlight laptop was introducedduring CES 2015, it was among the hottest products at the show. So when we were finally able to order the LaVie Z 360 (we buy all the computers we test), we were looking forward to getting it into the lab. What arrived instead was a letter from the company apologizing for some flaws with the new product.

And:

The letter, which CR received by e-mail, explained that Lenovo had made “a couple missteps” in its “haste to bring the product to market.” Apparently, when the computer is used in tent mode, the display doesn’t auto-rotate. Yep, that means you’d see an upside-down image. The letter explained that you could use Windows commands to fix that, but that “this is not a great user experience.”

And that’s not all, Lenovo continued. In stand mode, the keyboard doesn’t automatically deactivate. “A user may be okay in Stand Mode with LaVie Z lying flat on a table, but if it were on your lap for example, the keys may depress and once again cause an unsatisfactory user experience.” Yes, we agree: That would be unsatisfactory.

Now here’s the kicker. Here’s what Lenovo is going to do about it:

This all seemed like a prelude to an announcement that shipments were being delayed for a couple of weeks while the problems were fixed. Not so. In reality, Lenovo was planning to ship the computers as is—while refunding 5 percent of the cost.

So, Lenovo is shipping computers that they know to be defective and they don’t plan on fixing them. At least, not at present. Instead, you get a 5% refund. Am I the only one who is underwhelmed by this?

One wonders if this company is serious in terms of treating its customers well and staying in business.