Photo: Luke Manazis (Shutterstock)
Lenovo laptop users need to install critical security patches immediately to fix several major vulnerabilities that make their devices vulnerable to dangerous malware.
Why are Lenovo laptops vulnerable?
According to a recent Lenovo security advisory, vulnerabilities exist in the Unified Extensible Firmware Interface (UEFI) of more than 100 manufacturers’ laptop models that could allow hackers to write and install modified firmware with hidden malware to open the device — and the data above — for further use. Given the nature of the vulnerability, it is nearly impossible to find and remove modified firmware or hidden malware installed on infected devices.
How can hackers take advantage of my Lenovo’s security?
Although serious, hackers require local administrator-level access to successfully exploit UEFI vulnerabilities, which can only be achieved through physical access to the affected device or remote access through a virtual desktop program. Anyone with a cursory knowledge of cybersecurity will recognize that such vulnerabilities can pose a threat to enterprise-level Lenovo users and companies that allow employees to use work machines remotely, but according to the list of affected devices, these vulnerabilities are only present in consumer-level Lenovo laptops. It is much less likely that some random threat actor from above will gain the necessary access.
As noted by Ars Technica, there are only a few known instances of UEFI firmware hijacking: the infamous Trickbot malware; “Lojax” malware written by the Russian state hacking group Sednit; and cybersecurity firm Kaspersky in 2018 Custom UEFI found, although the only two targets were politicians from Asia.
So do I need to worry?
While exploiting these vulnerabilities in the wild is impossible, there are still concerns for the average user. Hackers often trick unsuspecting users into installing remote desktop software on their computers without realizing it, usually through phishing scams, fake advertisements, or modified download files. In some cases, hackers can even elevate their user privileges to remotely install apps and firmware—millions of unpatched Lenovo laptops are now perfect targets.
How to Update Your Lenovo Laptop
You can see which laptops are affected in Lenovo’s security bulletin. If your laptop model is listed, follow the link in the bulletin to download and install the patched firmware to your computer. Downloads can also be found via Lenovo’s official support page.
