Intel is said to have supplied the data which Lenovo copy-pasted into its code.
Lenovo has been caught, yet again, with its pants down in an embarrassing position: once again its machines have been riddled with security flaws. No superfish this though.
As per Dymtro “Cr4sh” Oleksiuk, a security researcher, Lenovo machines have a flaw that could allow attackers circumvent Windows’ essential security protocols.
According to his Github post, the vulnerability lies in its firmware driver, which it copy-pasted from data supplied by Intel. So yes, technically it’s not Lenovo’s fault but Intel. If other manufacturers have adopted the same approach the vulnerability could be widespread. Currently HP Pavillion laptop from 2010 have been identified as packing the flaw.
On its part, Lenovo has issued a public response saying that it had tried to communicate with the security researcher. However that didn’t work out.
It has corroborated Oleksiuk’s finding that the vulnerability lied in the code supplied by a third party working from a common repository of code which came from Intel.
Although Lenovo has not formally assigned the blame on Intel, there is enough in its language to indicate where the actual fault lies. On a positive note, Lenovo has disclosed that it is investigating the issue and is working with its partners to develop a fix, ASAP.
There’s also this theory floating around that says the vulnerability had not just crept in but was placed on purpose so as to create a backdoor. Even Oleksiuk has mentioned this in passing.
Lenovo’s public statement though is intricately carved. For example, it states it is “determining the identity of the original author,” since it “does not know its originally intended purpose.”