Dated Intel code leaves Lenovo laptops and Gigabyte motherboards vulnerable

A security researcher has discovered a nasty flaw that he originally thought only affected Lenovo laptops, but it turns out that's not the case. The critical security vulnerability also affects at least one HP laptop and a handful of Gigabyte motherboards aimed at gamers, including the GA-Z77X-UD5H, GA-Z68-UD3H, GA-Z87MX-D3H, and GA-Z97-D3H.

Dmytro "Cr4sh" Oleksiuk published an exploit for the vulnerability called ThinkPwn without first sharing his findings with Lenovo, PCWorld reports. The exploit can be used to sidestep security features built into Windows and allow an attacker to execute malicious code in the CPU's privileged System Management Mode (SMM).

This is low-level access that could pave a path for a rootkit in a PC's Unified Extensible Firmware Interface (UEFI), and also to disable things like Secure Boot, Virtual Secure Mode, and other Windows security features.

According to Lenovo, the vulnerable code came from a UEFI package sent to it by one of its independent BIOS vendors (IBVs), which are companies that customize reference UEFI code for PC makers.

"The package of code with the SMM vulnerability was developed on top of a common code base provided to the IBV by Intel. Importantly, because Lenovo did not develop the vulnerable SMM code and is still in the process of determining the identity of the original author, it does not know its originally intended purpose," Lenovo states in a security advisory. "But, as part of the ongoing investigation, Lenovo is engaging all of its IBVs as well as Intel to identify or rule out any additional instances of the vulnerability's presence in the BIOS provided to Lenovo by other IBVs, as well as the original purpose of the vulnerable code." 

Oleksiuk surmises that the vulnerability was present in Intel's reference code for its 8-series chipsets. Intel fixed the flaw two years ago, but since there was never any public advisories, IBVs and PC makers might have continued using the old and vulnerable reference code unaware that a patch existed.

That would explain why Lenovo isn't the only one affected, as originally thought. Another security researcher, Alex James, discovered the same vulnerability on an HP Pavilion dv7-4087cl laptop, along with the aforementioned Gigabyte motherboards. It's also possible that the vulnerability is present on other products, so keep an eye out for a firmware update no matter what machine or motherboard you own.