01-09-2018 10:03 AM
I can't apply Microsoft updates to address the Meltdown/Spectre vulnerabilities until there is an update to the BIOS software from Lenovo. I have reviewed the support page that lists models targeted for updates, and I don't see mine listed: https://support.lenovo.com/us/en/solutions/len-18282
This is my main personal laptop, which I use for a lot of important tasks. If I can't apply this critical security update then it's worthless to me. This is not a very old machine, I would expect there to be some acknowledgement of it on that support page, but as far as I can see only newer Yoga models are being targeted for firmware patches. Please advise whether Lenovo intends to address this issue on this model.
01-15-2018 07:34 AM
Bumping this with an update, and to reiterate my need to know if I can expect a firmware/BIOS patch.
First, to correct a sentence in my previous post: a Microsoft update is available for my machine (and, as far as I know, any Windows 10 computer) which provides partial mitigation against Meltdown/Spectre: KB4056892. It was not showing up for me in Windows Update, which I originally thought was due to my not having a firmware update, but I realized that I was able to download it directly, so I've applied that patch.
However, as I say the MS update is only partial mitigation, and to fully address this very bad vulnerability a firmware/BIOS update is still needed from Lenovo. Since my original posting there has been no response from anyone at Lenovo, despite this being a support forum specifically dedicated to Lenovo products. As I said before, this is not a very old machine and I think it's reasonable to expect a patch from Lenovo. At the very least we deserve some kind of acknowledgement that this is an issue for this model, so if you're not going to release a patch please just say so -- pretending the issue doesn't exist is a disservice to your customers and makes it that much harder for those of us trying to verify that our systems are reasonably secure.
01-17-2018 03:07 AM
This is a reply to someone I gave with a different model, but in a similar situation:
Does that help answer your question?
01-17-2018 07:07 PM
Does that help answer your question?
Respectfully, Aryeh, it doesn't. I appreciate that you are spending your own time trying to shed some light on the issue, and you gave some reasonable explanations in your linked post for why patches aren't out yet. But if you go back and read my previous posts you'll see that what I would like most of all is an indication from Lenovo as to whether they intend to address this issue on this model. Yes, I want a good patch, of course, and I can wait for a patch if I have a reason to expect one. I've been keeping tabs on the relevant support page, which has been getting updated periodically, but to date my laptop has not appeared on the list of targeted models. I'm very interested to know whether the manufacturer intends to support this not-very-old hardware, and I'm disappointed that they haven't been more forthcoming about it given the severity of the issue. People who care about such things are paying close attention now to the major PC vendors and how well they respond to and support their customers. For me, certainly, the stance of the company on an major bug like this will determine whether I'll consider buying another Lenovo product in the future, or whether I'd advise others to do so.
If you know of any official communication channel, besides the aforementioned support page, which I should monitor for updates on the situation, please share. Thank you.
01-18-2018 03:55 AM
FIrst off, thanks for taking the time to write such a detailed reply.
Unfortunately, I don't really know what else to tell you at this time. I'm in the same situation as you are, waiting to find out what's going to get an update, and when, and what's not. And that's not just for Lenovo kit listed in my signature, which is personal. I have a lab's worth of servers, desktops, laptops, tablets and smartphones from every tier-1 manufacturer, and I have no idea what I'm going to need to replace for most of that gear.
Since my original message to you, Lenovo's already updated their LEN-18282 advisory once already, but none of the new updates match your system or any of mine, for that matter.
I have to imagine that even with pulling in additional personnel to help qualify updates, there's a finite number of engineers to perform tests on them, interpret the results and validate whether or not CVE-2017-5715, CVE-2017-5753 and CVE-2017-5754 are completely solved. And things like checking for regressions, or dealing with whatever hot issues were on their plates prior to Meltdown and Spectre being announced likely had to get shelved in favor of fixing this. And then's there's probably all sorts of asynchronous interactions dependent on the affected CPU vendors engineering services, who I'd imagine are even more overloaded.
At the company I work at, dealing with this has pretty much been my sole priority since January 5th, and I've been tracking how ~240 vendors are handling this with varying degrees of responsiveness, and I think Lenovo is actually doing a pretty good job in that regard. There are some companies who are treating this more as a marketing exercise and others who haven't even published any kind of security bulletin at all. There are some that don't even have anything at all. I have to imagine that's got to be pretty frustrating for their customers. Lenovo, on the other hand, has been constantly updating their information at least every couple of days (if not more frequently) in their PSIRT site.
I know it's frustrating, but at least with Lenovo you're seeing some movement and, as I write this, I'm unaware of any attack code exploiting these vulnerabilties being used in the wild. So, the best suggestion I have at this point is to keep checking and see how the Lenovo product security bulletin evolves. At some point, you'll hopefully get the answer you're looking for, and you'll have a system that's not just secure, but is just as stable as it was before the fix, and with as minimal an impact to performance as possible.
02-13-2018 06:20 AM
For anyone looking for an update regarding this particular model, it has appeared on the support page linked above: https://support.lenovo.com/us/en/solutions/len-18282
No estimated date for a patch, but at least it's acknowledged as a model that they intend to target.
05-01-2018 05:07 AM
I have not seen an update at https://pcsupport.lenovo.com/uu/en/products/laptops-and-netbooks/yoga-series/yoga-900-13isk/download... but the list at https://support.lenovo.com/uu/en/solutions/len-18282 just got updated last week, so Lenovo is in the process of getting firmware updates out.
07-12-2018 08:05 PM
Yoga 900 13ISK is no longer on the page (https://support.lenovo.com/us/en/solutions/len-18282), can someone provide information as to when do we expect to get firmware update?