Lenovo has warned customers that 24 models of its ThinkPad laptops, which are popular with business users, are affected by two critical vulnerabilities in Broadcom wireless controllers.
The flaws, tracked as CVE-2017-11120 and CVE-2017-11121, were discovered last year by researchers from Google’s Project Zero and were patched in both Android and iOS devices in September. The vulnerabilities can be exploited remotely by unauthenticated users to achieve remote code execution on devices.
It turns out that the same flaws exist in the Broadcom BCM4356 Wireless LAN driver shipped with two dozen Lenovo ThinkPad models. The company released a patched driver version (1.558.53.1) for most affected laptops in November and December, but only notified customers about the existence of the flaws Feb. 8 in a security advisory.
There are two affected models of ThinkPad L460 (20FU and 20FV) for which an update is not yet available and other some other models are flagged with “no supplier support,” which might indicate they will never receive a patch. Most affected laptops received Windows 10 driver updates, but some also require patched versions for Windows 8.1 and Windows 7 that are not yet available.
The affected products are ThinkPad 10, ThinkPad L460, ThinkPad L560, ThinkPad P50s, ThinkPad T460, ThinkPad T460p, ThinkPad T460s, ThinkPad T560, ThinkPad X260, ThinkPad Yoga 260 and ThinkPad S1 2nd Gen.
On Feb. 8, Lenovo also offered guidance for a weak password issue in Intel vPro Active Management Technology (AMT) that affects ThinkPad systems and a privilege escalation vulnerability in Intel graphics drivers that existing in many Lenovo laptops, desktops, all-in-one systems, workstations and servers.
VMware Starts Releasing Meltdown and Spectre Fixes for Virtual Appliances
VMware has released updates and workarounds this week for several of its virtual appliances impacted by the serious Meltdown and Spectre CPU vulnerabilities announced last month.
According to an advisory published Feb. 8, the affected appliances are: vCloud Usage Meter (UM), Identity Manager (vIDM), vCenter Server (vCSA), vSphere Data Protection (VDP), vSphere Integrated Containers (VIC) and vRealize Automation (vRA).
Fixes are available only for vSphere Integrated Containers, the company advising customers to update to version 1.3.1. For the rest of the affected virtual appliances, VMware has provided workarounds in individual support articles.
The company previously released updates for its ESXi hypervisor to include the CPU microcode patches released by Intel in January. However, after Intel confirmed that those fixes caused unexpected reboot issues, VMware decided to withdraw the ESXi updates from its website.
WordPress Releases Update to Fix Broken Automatic Updates
One day after releasing a WordPress update this week, developers of the popular content management system had to release another one to fix a bug that broke the automatic update functionality. As a result, users now have to manually install the latest update to receive future updates.
“Unfortunately yesterdays (sic) 4.9.3 release contained a severe bug which was only discovered after release,” WordPress developer Dion Hulse said in a blog post. “The bug will cause WordPress to encounter an error when it attempts to update itself to WordPress 4.9.4, and will require an update to be performed through the WordPress dashboard or hosts update tools.”