
Firmware exploit can defeat new Windows security features on Lenovo ThinkPads - walterbell
http://www.pcworld.com/article/3091104/firmware-exploit-can-defeat-new-windows-security-features-on-lenovo-thinkpads.html#jump
======
anonbanker
We need more Zero-Days. The bureaucracy of white-hat "notify the company
first" has been used to delay all sorts of huge vulnerabilities, while giving
nation state actors sufficient time to exploit before they're publicly
patched.

------
nxzero
>> "The exploit, dubbed ThinkPwn, was published earlier this week by a
researcher named Dmytro Oleksiuk, who did not share it with Lenovo in advance.
This makes it a zero-day exploit -- an exploit for which there is no patch
available at the time of its disclosure."

Anyone know why Lenovo wasn't given a heads up?

~~~
zarriak
From his article about this

>Patch for this vulnerability is currently not available, I decided to do the
full disclosure because the main goal of my UEFI series articles is to share
the knowledge, not to make vendors and their users happy. Also, I don’t have
enough resources to check the vulnerability on all of the Lenovo computers,
so, if you have ThinkPad — it’s likely vulnerable, in case of other model
lines I’d recommend to wait for official advisory from vendor. It’s very
unlikely that this vulnerability will be exploited in the wild, for regular
customers there are much more chances to be killed with the lightning strike
than meet any System Management Mode exploit or malware.

>[http://blog.cr4.sh/2016/06/exploring-and-exploiting-
lenovo.h...](http://blog.cr4.sh/2016/06/exploring-and-exploiting-lenovo.html)

I would have assumed that it would also have to do with the Lenovo malware
they intentionally installed on their computers.

------
im3w1l
This requires root, or physical access, and enables take over of even deeper
systems (UEFI). Did I understand that correctly?

