cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
Yogi_900
Fanfold Paper
Posts: 5
Registered: ‎01-09-2018
Location: US
Views: 2,862
Message 1 of 16

Yoga 900 13ISK Meltdown/Spectre update?

I can't apply Microsoft updates to address the Meltdown/Spectre vulnerabilities until there is an update to the BIOS software from Lenovo. I have reviewed the support page that lists models targeted for updates, and I don't see mine listed: https://support.lenovo.com/us/en/solutions/len-18282

 

This is my main personal laptop, which I use for a lot of important tasks. If I can't apply this critical security update then it's worthless to me. This is not a very old machine, I would expect there to be some acknowledgement of it on that support page, but as far as I can see only newer Yoga models are being targeted for firmware patches. Please advise whether Lenovo intends to address this issue on this model.

Speedytr
Paper Tape
Posts: 6
Registered: ‎11-06-2016
Location: TR
Views: 2,646
Message 2 of 16

Re: Yoga 900 13ISK Meltdown/Spectre update?

As usual Lenovo Support playing 3 monkeys. I will NEVER gonna buy another Lenovo product because of this behavior.
Yogi_900
Fanfold Paper
Posts: 5
Registered: ‎01-09-2018
Location: US
Views: 2,466
Message 3 of 16

Re: Yoga 900 13ISK Meltdown/Spectre update?

Bumping this with an update, and to reiterate my need to know if I can expect a firmware/BIOS patch.

 

First, to correct a sentence in my previous post: a Microsoft update is available for my machine (and, as far as I know, any Windows 10 computer) which provides partial mitigation against Meltdown/Spectre: KB4056892. It was not showing up for me in Windows Update, which I originally thought was due to my not having a firmware update, but I realized that I was able to download it directly, so I've applied that patch. 

 

However, as I say the MS update is only partial mitigation, and to fully address this very bad vulnerability a firmware/BIOS update is still needed from Lenovo. Since my original posting there has been no response from anyone at Lenovo, despite this being a support forum specifically dedicated to Lenovo products. As I said before, this is not a very old machine and I think it's reasonable to expect a patch from Lenovo. At the very least we deserve some kind of acknowledgement that this is an issue for this model, so if you're not going to release a patch please just say so -- pretending the issue doesn't exist is a disservice to your customers and makes it that much harder for those of us trying to verify that our systems are reasonably secure. 

Community SeniorMod
Community SeniorMod
Posts: 3,238
Registered: ‎12-01-2007
Location: US
Views: 2,406
Message 4 of 16

Re: Yoga 900 13ISK Meltdown/Spectre update?

Hello,

 

This is a reply to someone I gave with a different model, but in a similar situation:

 

https://forums.lenovo.com/t5/Security-Malware/BIOS-updates-for-Meltdown-and-Spectre/m-p/3945092#M307...

 

Does that help answer your question?

 

Regards,

 

Aryeh Goretsky



I am a volunteer and neither a Lenovo nor a Microsoft employee.

L380 YogaP50 (20EN-*)S230u (3347-4HU)T23 (2648-LU7)T42 (2378-R4U)T43p (2678-H7U)T61p (6459-CTO)W510 (4318-CTO)W530 (2441-4R3)W530 (2441-4R3)X100e (3508-CTO)X120e (0596-CTO)X220 (4286-CTO)X250 (20CM-*)Yoga 370

de.gif Deutsche Community es.gif Comunidad en Español ru.gif Русскоязычное Сообщество pt.gif Communidade Portugues
Yogi_900
Fanfold Paper
Posts: 5
Registered: ‎01-09-2018
Location: US
Views: 2,356
Message 5 of 16

Re: Yoga 900 13ISK Meltdown/Spectre update?

Does that help answer your question?

Respectfully, Aryeh, it doesn't. I appreciate that you are spending your own time trying to shed some light on the issue, and you gave some reasonable explanations in your linked post for why patches aren't out yet. But if you go back and read my previous posts you'll see that what I would like most of all is an indication from Lenovo as to whether they intend to address this issue on this model. Yes, I want a good patch, of course, and I can wait for a patch if I have a reason to expect one. I've been keeping tabs on the relevant support page, which has been getting updated periodically, but to date my laptop has not appeared on the list of targeted models. I'm very interested to know whether the manufacturer intends to support this not-very-old hardware, and I'm disappointed that they haven't been more forthcoming about it given the severity of the issue. People who care about such things are paying close attention now to the major PC vendors and how well they respond to and support their customers. For me, certainly, the stance of the company on an major bug like this will determine whether I'll consider buying another Lenovo product in the future, or whether I'd advise others to do so.      

If you know of any official communication channel, besides the aforementioned support page, which I should monitor for updates on the situation, please share. Thank you. 

Community SeniorMod
Community SeniorMod
Posts: 3,238
Registered: ‎12-01-2007
Location: US
Views: 2,314
Message 6 of 16

Re: Yoga 900 13ISK Meltdown/Spectre update?

Hello,

 

FIrst off, thanks for taking the time to write such a detailed reply.

 

Unfortunately, I don't really know what else to tell you at this time.  I'm in the same situation as you are, waiting to find out what's going to get an update, and when, and what's not.  And that's not just for Lenovo kit listed in my signature, which is personal.  I have a lab's worth of servers, desktops, laptops, tablets and smartphones from every tier-1 manufacturer, and I have no idea what I'm going to need to replace for most of that gear.

 

Since my original message to you, Lenovo's already updated their LEN-18282 advisory once already, but none of the new updates match your system or any of mine, for that matter.

 

I have to imagine that even with pulling in additional personnel to help qualify updates, there's a finite number of engineers to perform tests on them, interpret the results and validate whether or not CVE-2017-5715, CVE-2017-5753 and CVE-2017-5754 are completely solved.  And things like checking for regressions, or dealing with whatever hot issues were on their plates prior to Meltdown and Spectre being announced likely had to get shelved in favor of fixing this.  And then's there's probably all sorts of asynchronous interactions dependent on the affected CPU vendors engineering services, who I'd imagine are even more overloaded.

 

At the company I work at, dealing with this has pretty much been my sole priority since January 5th, and I've been tracking how ~240 vendors are handling this with varying degrees of responsiveness, and I think Lenovo is actually doing a pretty good job in that regard.  There are some companies who are treating this more as a marketing exercise and others who haven't even published any kind of security bulletin at all.  There are some that don't even have anything at all.  I have to imagine that's got to be pretty frustrating for their customers.  Lenovo, on the other hand, has been constantly updating their information at least every couple of days (if not more frequently) in their PSIRT site. 

 

I know it's frustrating, but at least with Lenovo you're seeing some movement and, as I write this, I'm unaware of any attack code exploiting these vulnerabilties being used in the wild.  So, the best suggestion I have at this point is to keep checking and see how the Lenovo product security bulletin evolves.  At some point, you'll hopefully get the answer you're looking for, and you'll have a system that's not just secure, but is just as stable as it was before the fix, and with as minimal an impact to performance as possible.

 

Regards,

 

Aryeh Goretsky

 

 

 



I am a volunteer and neither a Lenovo nor a Microsoft employee.

L380 YogaP50 (20EN-*)S230u (3347-4HU)T23 (2648-LU7)T42 (2378-R4U)T43p (2678-H7U)T61p (6459-CTO)W510 (4318-CTO)W530 (2441-4R3)W530 (2441-4R3)X100e (3508-CTO)X120e (0596-CTO)X220 (4286-CTO)X250 (20CM-*)Yoga 370

de.gif Deutsche Community es.gif Comunidad en Español ru.gif Русскоязычное Сообщество pt.gif Communidade Portugues
Yogi_900
Fanfold Paper
Posts: 5
Registered: ‎01-09-2018
Location: US
Views: 2,003
Message 7 of 16

Re: Yoga 900 13ISK Meltdown/Spectre update?

For anyone looking for an update regarding this particular model, it has appeared on the support page linked above: https://support.lenovo.com/us/en/solutions/len-18282 

No estimated date for a patch, but at least it's acknowledged as a model that they intend to target.

popy
Punch Card
Posts: 33
Registered: ‎09-22-2016
Location: AT
Views: 1,296
Message 8 of 16

Re: Yoga 900 13ISK Meltdown/Spectre update?

Any news/updates from @lenovo when the new BIOS will be available for the yoga 900 13isk?

 

thx

Community SeniorMod
Community SeniorMod
Posts: 3,238
Registered: ‎12-01-2007
Location: US
Views: 1,254
Message 9 of 16

Re: Yoga 900 13ISK Meltdown/Spectre update?

Hello,

 

I have not seen an update at https://pcsupport.lenovo.com/uu/en/products/laptops-and-netbooks/yoga-series/yoga-900-13isk/download... but the list at https://support.lenovo.com/uu/en/solutions/len-18282 just got updated last week, so Lenovo is in the process of getting firmware updates out.

 

Regards,

 

Aryeh Goretsky

 



I am a volunteer and neither a Lenovo nor a Microsoft employee.

L380 YogaP50 (20EN-*)S230u (3347-4HU)T23 (2648-LU7)T42 (2378-R4U)T43p (2678-H7U)T61p (6459-CTO)W510 (4318-CTO)W530 (2441-4R3)W530 (2441-4R3)X100e (3508-CTO)X120e (0596-CTO)X220 (4286-CTO)X250 (20CM-*)Yoga 370

de.gif Deutsche Community es.gif Comunidad en Español ru.gif Русскоязычное Сообщество pt.gif Communidade Portugues
Highlighted
Sid20
Ctrl-Alt-Del
Posts: 9
Registered: ‎03-20-2018
Location: US
Views: 974
Message 10 of 16

Re: Yoga 900 13ISK Meltdown/Spectre update?

Yoga 900 13ISK is no longer on the page (https://support.lenovo.com/us/en/solutions/len-18282), can someone provide information as to when do we expect to get firmware update?

Check out current deals!


Shop current deals