This year has proved to be a bumpy one for China-based Lenovo, whose computers were again found to contain several security vulnerabilities. The latest three “high” severity vulnerabilities were discovered in February by researchers at IOActive.
Earlier this year, Lenovo’s consumer notebooks were found to include preloaded adware called Superfish that could compromise users’ data. The company apologized for including the software on its devices and pledged to eliminate any “bloatware” on future computers.
The three latest vulnerabilities were discovered by IOActive researchers Michael Milvich and Sofiane Talmat, who then notified Lenovo about the problems. Lenovo released patches for all three issues on April 3.
All ThinkPads, Other Devices Affected
Lenovo is the world’s largest maker of consumer PCs. In releasing its shipment figures for the first quarter of 2015 last month, the company reported that it had a 19.6-percent share of the world market and had achieved a new record market share of 11.8 percent in the U.S.
The company released a statement on Wednesday saying its development and security teams had been working with IOActive to address the latest vulnerabilities, and had updated its Lenovo System Update on April 1.
While the System Update should prompt users to automatically install a new program to resolve the latest vulnerabilities, users can also run the updater manually. Among the devices that might have been affected by the flaws discovered by IOActive are all ThinkPads, all ThinkCentres, and all ThinkStations as well as computers in the Lenovo V/B/K/E series.
When Lenovo issued its apology earlier this year, it noted that the Superfish incident reinforced the principle that “customer experience, security and privacy must be our top priorities . . . Our goal is clear: To become the leader in providing cleaner, safer PCs.”
‘Massive Security Risk’
In their technical analysis, Milvich and Talmat describe three vulnerabilities, all of which affected Lenovo’s previous version of its System Update. Those flaws included the use of a predictable security token, the presence of signature validation errors and a so-called “race condition” in which multiple operations that need to be performed in a certain sequence “race” one another to complete.
With the Lenovo System Update race condition, two executables were competing: verification of the signature and execution of the saved executable. This opened up the system to the possibility that a local attacker could run malicious code instead of the intended executable without encountering privilege problems. Such an attack could allow a hacker to gain elevated permissions to access a user’s system, Milvich and Talmat noted.
The other two vulnerabilities that IOActive identified included the use of a predictable security token that could allow a malcious, unprivileged user to arbitrarily execute commands during system updates, which “represents a massive security risk,” Milvich and Talmat said. Another flaw with signature validation could allow hackers to “bypass signature validation checks and replace trusted Lenovo applications with malicious applications,” they added.
LenovoIN:
Posted: 2015-05-07 @ 3:16pm PT
This news has been out for almost a month. Responsible users would have updated this tool, being that if they launched an outdated version, they are prompted to update the tool.
Just like your OS, drivers, software etc…. these tools have to be updated.
The advisory re: this flaw came out April 14, 2015.
https://support.lenovo.com/us/en/product_security/lsu_privilege
BePrecise:
Posted: 2015-05-07 @ 2:44pm PT
Wrong article title. It is not Lenovo Computers that have ‘Massive Security Risk’. It is the pre-installed software, starting with the mother of all bloatware, Windows. Security-conscious users wipe out the pre-installed bloatware and make a clean start, ideally with Ubuntu.
