Security researcher Dymtro "Cr4sh" Oleksiuk claims to have uncovered a flaw in Lenovo machines that could let attackers circumvent Windows' basic security protocols. Oleksiuk says that the vulnerable firmware driver was copy-and-pasted from data supplied by Intel. His concern was that other manufacturers might have adopted the same code -- with at least one HP Pavillion laptop from 2010 already identified as packing the flaw.

Lenovo says it is aware of the BIOS vulnerability located in the System Management Mode (SMM) code that impacts certain Lenovo PC devices.

Though the company's inverstigation is ongoing, Lenovo knows that vulnerable SMM code was provided to Lenovo by at least one of its Independent BIOS Vendors (IBVs). Independent BIOS vendors (IBVs) are software development firms that specialize in developing the customized BIOS firmware that is loaded into the PCs of original equipment manufacturers, including Lenovo. Following industry standard practice, IBVs start with the common code base created by chip vendors, such as Intel or AMD, and add additional layers of code that are specifically designed to work with a particular computer.

Lenovo says that the package of code with the SMM vulnerability was developed on top of a common code base provided to the IBV by Intel.

Lenovo added that it's investigating the issue and will work with its partners to develop a fix as soon as possible.