Lenovo has issued a BIOS fix for some of its machines, thus preventing a vulnerability which could allow potential hackers to gain control of a desktop or a laptop computer from the manufacturer.
In a press release published on the Lenovo website, the company has urged consumers to manually update their BIOS. Newer machines will have the fix by default.
The vulnerability was linked to the way Lenovo utilized a Microsoft Windows mechanism in a feature found in its BIOS firmware called Lenovo Service Engine (LSE) that was installed in some Lenovo consumer PCs. It was first spotted by an independent security researcher, Roel Schouwenberg.
Together with Schouwenberg, Lenovo and Microsoft have discovered possible ways this program could be exploited in the Lenovo Notebook implementation by an attacker, including “a buffer overflow attack and an attempted connection to a Lenovo test server”.
As a result of these findings, Microsoft recently released updated security guidelines (see page 10 of this linked PDF) on how to best implement this Windows BIOS feature, it says in the release.
“Lenovo’s use of LSE was not consistent with these new guidelines. As a result, LSE is no longer being installed on Lenovo systems. It is strongly recommended that customers update their systems with the new BIOS firmware which disables and or removes this feature.”
Depending on the configuration of your BIOS, Lenovo has also put up instructions to help you install the update on your machine.
The full list of all affected machines can be found on this link.