Lenovo has issued a warning to users regarding significant BIOS security vulnerabilities identified in certain models of its IdeaCentre and Yoga All-In-One desktops. These vulnerabilities allow access at a level that is difficult to identify and remediate, as they can penetrate deeper than the kernel level. Even a full system reinstallation might not eradicate deeply entrenched malware, rendering these issues particularly hazardous. Several models have been assigned high severity ratings due to these vulnerabilities.
The affected Lenovo desktops include the following: Lenovo IdeaCentre AIO 3 24ARR9, Lenovo IdeaCentre AIO 3 27ARR9, Lenovo Yoga AIO 27IAH10, Lenovo Yoga AIO 32ILL10, and Lenovo Yoga AIO 9 32IRH8. The root of the problem stems from the Insyde BIOS firmware, which is sourced from the Taiwanese company Insyde and not from Lenovo itself. Fortunately, it appears that devices from other manufacturers are not using this specific UEFI version and are therefore not at risk. For users impacted by these vulnerabilities, Lenovo is actively working on comprehensive patches.
However, currently, updates are only available for the two IdeaCentre models. Owners of the vulnerable Lenovo Yoga AIO desktops will likely need to wait until September for relevant updates to be released. In the meantime, users can utilize Lenovo’s update management tool, provided they have it already installed, to assist in monitoring and applying updates.