‘Massive security risk’ in Lenovo computers discovered by security firm IOActive
Researchers have uncovered what they say is a potentially major security flaw in a wide range of Lenovo computers.
A research team at security firm IOActive found that three vulnerabilities could be exploited to install malware on users’ systems or to hand attackers a measure of control over them.
Lenovo has acknowledged the findings and urged users to download a patch to resolve the issues.
The flaws were first detected in February, with the patch released in April; however IOActive’s findings weren’t released until this week.
They include a vulnerability which would allow both attackers to “bypass signature validation checks and replace trusted Lenovo applications with malicious applications”.
This would put users at risk of ‘drive-by’ attacks, which often target users connected to unsecured public Wi-Fi networks.
The attacker could “exploit this to swap Lenovo’s executables with a malicious executable”, the researchers wrote, as Lenovo does not ‘completely verify’ all the files it downloads as part of any system update.
This “high”-rated flaw affects all ThinkPad, ThinkCenter, and ThinkStation products, along with V, B, K, and E-series machines.
The other two flaws found by the researchers would allow attackers to run commands as the SYSTEM user, allowing them to gain a greater level of control over a system than they should have.
“Lenovo’s development and security teams worked directly with IOActive regarding their Lenovo System Update vulnerability findings, and we value their expertise in identifying and responsibly reporting them,” Lenovo told TechWeekEurope in a stataement.
“Lenovo released an updated version of Lenovo System Update on April 1, which resolves these vulnerabilities. We subsequently published a security advisory in coordination with IOActive at: https://support.lenovo.com/us/en/product_security/lsu_privilege. Existing installations of Lenovo System Update will prompt the user to automatically install the updated version when the application is run. Alternatively, users may manually update System Update as described in the security advisory. Lenovo recommends that all users update System Update to eliminate the vulnerabilities reported by IOActive.”
The news is worrying for the world’s largest PC manufacturer, which came under fire earlier this year following reports that it had shipped laptops infected with malware that hijacked search results in favour of Lenovo’s business.
The Superfish adware used a self-signed root certificate which allows it to collect users’ data from web browsers. The certificate allowed the software to drop advertisements into browser sessions secretly.