So does this cut down the attack to people on your network? Would a simple NAT protect me here?
Also it's bizarre that they're disclosing this so soon, given that there are bound to be Lenovo (at least) customers who are not business customers and who don't read hacker news and who aren't exactly going to update their BIOS as an everyday thing.
This feature is only active if you set it up and configure it for your company/management system. Random Lenovo customers aren't at risk. The only people at risk are companies that set AMT up, and then they should be looking for security issues with all the vendors they use.
If you're not a business customer you won't have AMT provisioned, so this hack won't work remotely. Apparently a local attacker could provision AMT and then perform the attack, but that's substantially less bad.
Also it's bizarre that they're disclosing this so soon, given that there are bound to be Lenovo (at least) customers who are not business customers and who don't read hacker news and who aren't exactly going to update their BIOS as an everyday thing.