Welcome to our peer-to-peer forums, where owners help owners. Need help now? Visit eSupport here.

English Community

Software and Operating SystemSecurity & Malware
All Forum Topics
Options

1 Posts

01-13-2018

Russian Federation

9 Signins

73 Page Views

  • Posts: 1
  • Registered: ‎01-13-2018
  • Location: Russian Federation
  • Views: 73
  • Message 11 of 47

Re: BIOS updates for Meltdown and Spectre

2018-01-17, 9:45 AM

Hi Aryeh,

 

What about systems that are listed neither in https://download.lenovo.com/eol/index.html nor in https://support.lenovo.com/us/en/solutions/len-18282?

 

E.g., Lenovo Yoga 2 Pro.

 

 

A bunch of rushed patches by, at least, Intel, Microsoft, and Ubuntu, have bricked the systems.

So I don't want to fearmonger and hurry anyone, but it would be nice to have a proper (even approximate) timeline of BIOS updates. Or at least know for sure that it is not coming at all.

 

 

Reply
Options

3985 Posts

12-02-2007

United States of America

9078 Signins

192748 Page Views

  • Posts: 3985
  • Registered: ‎12-02-2007
  • Location: United States of America
  • Views: 192748
  • Message 12 of 47

Re: BIOS updates for Meltdown and Spectre

2018-01-17, 10:54 AM

Hello,

 

The LEN-18282 advisory seems to be getting updated every couple of days right now, so the best suggestion I have at this point is to keep checking it for updates.

 

As best as I can tell, Intel seems to be rolling out the patches for the Meltdown and Spectre vulnerabilities starting with their newest CPUs first, and working their way backwards towards older models, according to this statement:

 


For Intel CPUs introduced in the past five years, we expect to issue updates for more than 90 percent of them within a week, and the remainder by the end of January. We will continue to issue updates for other products thereafter.


Sourcehttps://newsroom.intel.com/news/intel-offers-security-issue-update/

 

However, there also has to be time to formally verify that the patches work.  We've alread seen patches withdrawn by Dell, Lenovo and VMware (amongst others) because Intel subsequently found out they were buggy, and I think everyone's trying to avoid having to re-release a patch multiple times because of quality issues.

 

In the meantime, keep all your other software up to date (operating system, security software, web browser, drivers, etc.).  For example, Nvidia and AMD have both stated that their GPUs are not vulnerable to Spectre (Meltdown is Intel-specific), but Nvidia recently released some security updates for their device drivers under Windows because their software was vulnerable, etc.

 

My day job (I'm a volunteer here) is in the computer security field, and I've been carefully watching how this evolves.  To date, I have not seen any evidence of attack code exploiting these vulnerabilties in the wild, so from that perspective, we're more in the prescriptive advice and guidance phase, where the information compromise level from the vulnerability is high, but the risk of it happening, right now, is low.

 

Regards,

 

Aryeh Goretsky

 



I am a volunteer and neither a Lenovo nor a Microsoft employee.

L380 YogaP72 (20MB-*)P50 (20EN-*)S230u (3347-4HU)T23 (2648-LU7)T42 (2378-R4U)T43p (2678-H7U)T61p (6459-CTO)W510 (4318-CTO)W530 (2441-4R3)W530 (2441-4R3)X100e (3508-CTO)X120e (0596-CTO)X220 (4286-CTO)X250 (20CM-*)Yoga 370

  Communities:   English    Deutsche    Español    Português    Русскоязычное    Česká    Slovenská    Українська   Język Polski    Moto English


Need an answer, fast? Try using Browser Search to find it in the Lenovo and Moto Community
Reply
Options

35 Posts

03-16-2014

United States of America

66 Signins

552 Page Views

  • Posts: 35
  • Registered: ‎03-16-2014
  • Location: United States of America
  • Views: 552
  • Message 13 of 47

Re: BIOS updates for Meltdown and Spectre

2018-01-18, 21:16 PM
I'm also wondering about a BIOS update for the Yoga 2 Pro Laptop (Machine Type Model: 80AY59394167). Come on Lenovo; please provide some information.
Reply
Options

2400 Posts

11-07-2014

United States of America

1534 Signins

24216 Page Views

  • Posts: 2400
  • Registered: ‎11-07-2014
  • Location: United States of America
  • Views: 24216
  • Message 14 of 47

Re: BIOS updates for Meltdown and Spectre

2018-01-18, 21:45 PM
I have been watching threads, talking with my friends at intel and AMD... Mostly they are stating that Meltdown will require an "overhaul" of the entire CPU design to fix, while Scepter can be addressed via software patches.

For the most part most of the patches will be coming soon to deal with scepter, the meltdown bug will take some time to remove.

CB

I do not work for Lenovo, I only provide suggestions based on my personal willingness to help others. All advice and comments are based on my experience, and do not reflect Lenovo policy, terms or conditions.
Reply
Options

217 Posts

06-04-2015

Brazil

1132 Signins

6609 Page Views

  • Posts: 217
  • Registered: ‎06-04-2015
  • Location: Brazil
  • Views: 6609
  • Message 15 of 47

Re: BIOS updates for Meltdown and Spectre

2018-01-18, 22:00 PM

[Moderator Note:  Posting edited to conform to the Community Guidelines.]

 

Dear goretsky,

 

While Intel has now issued Firmware updates for CPUs introduced in the past 5 years, Lenovo Yoga 2 Pro (20266) - Intel Core i7 4500U Haswell with "only" 3 years old isn't even listed under Lenovo End-Of-Life List or Lenovo Security Advisory LEN-18282 (NO ETA FOR US) as detailed HERE.

Please Lenovo keep us safe supporting your costumers with a proper Firmware update to address Spectre ASAP.

Best Regards,

Reply
Options

1 Posts

01-19-2018

Sweden

1 Signins

16 Page Views

  • Posts: 1
  • Registered: ‎01-19-2018
  • Location: Sweden
  • Views: 16
  • Message 16 of 47

Re: BIOS updates for Meltdown and Spectre

2018-01-19, 9:31 AM

Great to hear that these updates are being worked on!

 

However, the list at https://support.lenovo.com/se/sv/solutions/len-18282 doesn't seem very well-sorted. Some models are listed with their complete name (like "Lenovo ideapad 320-17IKB/520-15IKB") and some are just the model numbers which results in an unsorted list that makes it unnecessarily difficult to find things.

 

Myself, I have a Lenovo IdeaPad 310-15ISK and I am unsure if it is unlisted on this page (which would suck) or if it's the same as the "V310-15ISK" that IS listed. Does the "V" stand for "version" so that this is the same model version as I have, or is it a totally different model? [If it's a different model, please Lenovo: never name your models like that again, because starting the name with a "V" before a number series almost always means "version" so don't confuse people by naming models that way, if you mean something completely different!!]

 

Since my current bios is named 0XCN37WW and the "V310-15ISK" bios is called 0ZCN44WW ("Z" instad of "X"), I'm guessing that they are two totally different models. Which would lead to the question: is an update being looked at for the IdeaPad 310-15ISK? Could it be added to the page above, with an ETA for the security update?

 

When inspecting my computer with InSpectre, it shows me what protection is present for the system and what is still lacking. As can be seen, the protection that is missing is the bios update.

 

 

 

 

Reply
Options

3985 Posts

12-02-2007

United States of America

9078 Signins

192748 Page Views

  • Posts: 3985
  • Registered: ‎12-02-2007
  • Location: United States of America
  • Views: 192748
  • Message 17 of 47

Re: BIOS updates for Meltdown and Spectre

2018-01-19, 10:04 AM

Hello,

 

Intel has asked companies like Dell, HP and Lenovo to withdraw them because of quality issues:

 

https://newsroom.intel.com/news/intel-security-issue-update-addressing-reboot-issues/

 

Remember, even after Intel does get things correct, Lenovo should take some time to verify the quality of microcode before releasing it.  If your system randomly blue screens because of the patch, that's not a great outcome for everyone involved (Intel, Lenovo and, most importantly, you).

 

Regards,

 

Aryeh Goretsky

 

 


wrote:

Dear goretsky,

 

While Intel has now issued Firmware updates for CPUs introduced in the past 5 years, Lenovo Yoga 2 Pro (20266) - Intel Core i7 4500U Haswell with "only" 3 years old isn't even listed under Lenovo End-Of-Life List or Lenovo Security Advisory LEN-18282 (NO ETA FOR US) as detailed HERE.

Please Lenovo keep us safe supporting your costumers with a proper Firmware update to address Spectre ASAP.

Best Regards,


 



I am a volunteer and neither a Lenovo nor a Microsoft employee.

L380 YogaP72 (20MB-*)P50 (20EN-*)S230u (3347-4HU)T23 (2648-LU7)T42 (2378-R4U)T43p (2678-H7U)T61p (6459-CTO)W510 (4318-CTO)W530 (2441-4R3)W530 (2441-4R3)X100e (3508-CTO)X120e (0596-CTO)X220 (4286-CTO)X250 (20CM-*)Yoga 370

  Communities:   English    Deutsche    Español    Português    Русскоязычное    Česká    Slovenská    Українська   Język Polski    Moto English


Need an answer, fast? Try using Browser Search to find it in the Lenovo and Moto Community
Reply
Options

1 Posts

01-19-2018

Greece

12 Signins

81 Page Views

  • Posts: 1
  • Registered: ‎01-19-2018
  • Location: Greece
  • Views: 81
  • Message 18 of 47

Re: BIOS updates for Meltdown and Spectre

2018-01-19, 12:47 PM

Seems like https://support.lenovo.com/gr/el/solutions/len-18282 has changed it's layout and there is no list at this moment, also would Lenovo release a patch for Ideapad Y450? My system is only vulnerable to Spectre.

Reply
Options

217 Posts

06-04-2015

Brazil

1132 Signins

6609 Page Views

  • Posts: 217
  • Registered: ‎06-04-2015
  • Location: Brazil
  • Views: 6609
  • Message 19 of 47

Re: BIOS updates for Meltdown and Spectre

2018-01-19, 13:37 PM

Dear goretsky,

Thanks for your reply.
Seems 'Lenovo Security Advisory LEN-18282' ( https://support.lenovo.com/us/en/solutions/len-18282 ) disappeared and is now redirect to a "Standard" 'Lenovo Support Site' ( https://download.lenovo.com/supportdata/index.html ) not related to address Spectre & Meltdown vulnerabilities.


What I realy would like to know is a simple and direct answer if LENOVO YOGA 2 PRO (20266 /80AY) 'WILL' or 'WILL NOT' receive a 'NEW Firmware' from Lenovo and the 'ETA'.
Could you please push Lenovo Engineering Team to provide this clarification statement?


Regards,

EDIT: NEW link to Lenovo Security Advisory: LEN-18282 (for Ideapad \ Yoga) and YOGA 2 PRO (20266) still isn't even listed under it.

Reply
Options

3 Posts

01-06-2018

Germany

11 Signins

79 Page Views

  • Posts: 3
  • Registered: ‎01-06-2018
  • Location: Germany
  • Views: 79
  • Message 20 of 47

SPECTRE FIXES canceled for X220, T420 and W520?

2018-01-19, 13:54 PM

Hello Lenovo!

 

I expected to see a new BIOS-Update for my X220 at end of february:

 

https://support.lenovo.com/de/en/solutions/len-18282

 

I was glad to see that, because Intel is just unable to make any clear statement and refuses to fix older CPUs. This is now removed, without a notice!

 

Dangerous security issues must be always fixed, there is not out of support in general. Despite that, the X220 was sold till 2013 and 2018 is in the ususal five year warranty range of the ThinkPads.

 

Can you tell us please, what is going on? I hope you will follow your own path of good support and not Intel. Interestingly there are still listed Microcodeupdates for SandyBridge (Server), same architecture.

 

Thanks

Reply
Forum Home

Community Guidelines

Please review our Guidelines before posting.

Learn More

Check out current deals!

Go Shop
X

Save

X

Delete

X

No, I don’t want to share ideas Yes, I agree to these terms