According to researcher Dmytro Oleksiuk aka Cr4sh, the erroneous code exploits the 0day privileges escalation vulnerability in Lenovo’s BIOS. This bug allows users to exploit the flash write protection, disabling of UEFI Secure Boot, Virtual Secure Mode and Credential Guard on most Windows Enterprise powered Lenovo PCs. And this is just a small list of possible evil things that can be executed using this vulnerability.
Another serious vulnerability. I wonder: how many of the vulnerable BIOSes will actually be updated versus those that will remain permanently vulnerable to this kind of attack? And doesn’t the persistence of new vulnerabilities speak the failure of manufacturers to secure end point devices, thus obviating some government concerns surrounding the encryption of communications?
Excited Pixels 