Notebookcheck Logo

'ThinkPwn' UEFI bug discovered on a wide range of notebooks

'ThinkPwn' UEFI bug discovered on a wide range of notebooks
'ThinkPwn' UEFI bug discovered on a wide range of notebooks
Lenovo has released a list of affected models, but the bug has been reportedly verified on notebooks and motherboards from other manufacturers as well.

A vulnerability relating to specific UEFI drivers has been discovered by Dmytro Oleksiuk (aka Cr4sh) and has been dubbed 'ThinkPwn' since the bug was first discovered on a Lenovo ThinkPad system. The bug, however, is not limited to Lenovo systems as it relates to a more generic Intel firmware that can also be found on certain systems from Dell, HP, Fujitsu, and Gigabyte. Additional manufacturers have not yet been ruled out, either.

Note that the UEFI bug requires physical access to the individual system to exploit, so users are still safe from outside attackers. Of the listed manufacturers, the following models have been proven to be vulnerable to the 'ThinkPwn' bug:

  • HP Pavillion DV7 4087CL (2010)
  • Fujitsu Lifebook A574/H (2013)
  • Dell Latitude E6430 (2012)
  • Gigabyte Mainboards from Ivy Bridge up to Broadwell (Models: Z68-UD3H, Z77X-UD5H, Z87MX-D3H, Z97-D3H)

Perhaps more alarmingly is that these systems are quite old dating back to as early as 2010, so the extent of the bug can be very wide. So far, most of these manufacturers have not publicly acknowledged the vulnerability including Intel.

Lenovo is the exception as the company has provided a list of known affected models. Accordingly, ThinkPad notebooks running on the Skylake platform are not affected by the vulnerability while older Ivy Bridge models (X230, T430, etc.) up to Broadwell models (X250, T450s, etc.) are all affected. Numerous Ideapad systems are also affected and any potential BIOS updates to patch the security flaw has not yet been released.

Source(s)

static version load dynamic
Loading Comments
Comment on this article
Please share our article, every link counts!
.170
> Notebook / Laptop Reviews and News > News > News Archive > Newsarchive 2016 07 > 'ThinkPwn' UEFI bug discovered on a wide range of notebooks
Benjamin Herzig/ Allen Ngo, 2016-07-14 (Update: 2016-07-14)