A security flaw that affects the BIOS of multiple Lenovo computers remains unpatched nearly a week after an independent security researcher discovered it.
The flaw, which could enable arbitrary code execution, affects the ThinkPad system management mode (SMM), according to a post on Github by a person who identified himself as Dmytro Oleksiuk.
By running arbitrary code in the SMM, a hacker could disable flash write protection and bypass the secure boot-up feature of Windows 10's Enterprise edition, among other actions, according to Oleksiuk. He wrote on June 30 that he confirmed the vulnerability on several Lenovo laptops, from the ThinkPad T450s to the older ThinkPad X220. The possibility for remote code execution could be present in the firmware of other manufacturers in addition to Lenovo, he added.
In a security advisory posted to its website, Lenovo said it confirmed the BIOS vulnerability that Oleksiuk posted, and is still working to find a solution.
"At this point, Lenovo knows that vulnerable SMM code was provided to Lenovo by at least one of our Independent BIOS Vendors (IBVs)," the advisory said. IBVs supply firmware for PC makers. Lenovo said it works with three IBVs, though it did not specify which of its computer models use the affected BIOS.
In addition to BIOS suppliers, the company says code from Intel may also contribute to the vulnerability.
Report: Bloatware Security Flaws Affect Millions of PCs
"The package of code with the SMM vulnerability was developed on top of a common code base provided to the IBV by Intel," Lenovo wrote. "Importantly, because Lenovo did not develop the vulnerable SMM code and is still in the process of determining the identity of the original author, it does not know its originally intended purpose.
"But, as part of the ongoing investigation, Lenovo is engaging all of its IBVs as well as Intel to identify or rule out any additional instances of the vulnerability's presence in the BIOS provided to Lenovo by other IBVs, as well as the original purpose of the vulnerable code."
The vulnerability comes more than a year after the Superfish flaw, which affected adware installed on Lenovo PCs. About a week after it was discovered, Lenovo offered a tool that would remove the software.