Technology News

Lenovo PCs Have 'Massive Security Risk' Say Researchers; Fix Issued

By Ketan Pratap | Updated: 7 May 2015 15:19 IST
Lenovo PCs Have 'Massive Security Risk' Say Researchers; Fix Issued
Advertisement
Lenovo's image has taken another hit with a report of another software-related glitch on its computers that could potentially allow attackers to bypass signature validation checks and replace trusted Lenovo applications with malware.

Security researchers Michael Milvich and Sofiane Talmat of IOActive discovered a 'massive security risk' in the Lenovo System Update software in February, and reported the issue to the world's biggest PC maker. The researchers have now made the vulnerabilities public after Lenovo has issued a patch for the application.

The Chinese company has posted a patch for consumers on its support page titled "Lenovo System Update Privilege Escalation." Affected machines in the Lenovo lineup are the Lenovo ThinkPad, ThinkCentre, ThinkStation, and other Lenovo laptop (V, B, K, and E) series. Users of these machines can either run Lenovo System Update and install the new version when prompted by the app, or download and install the latest version manually.

Milvich and Talmat of IOActive have detailed three vulnerabilities in the Lenovo System Update software in a security advisory. According to the IOActive security advisory, the CVE-2015-2219 vulnerability allows local least-privileged users to run commands as the system user. The CVE-2015-2233 vulnerability, on the other hand, allows a hacker to replace the trusted company software with any malicious software.

"Remote attackers who can perform a man in the middle attack (the classic coffee shop attack) can exploit this to swap Lenovo's executables with a malicious executable. The System Update uses TLS/SSL to secure its communications with the update server, which should protect against "coffee shop" style attacks," notes the IOActive security advisory. Lastly, CVE-2015-2234 vulnerability allows local unprivileged users to run commands as an administrative user.

All the vulnerabilities reported by security researchers have been fixed in the new version of the Lenovo System Update software released by the Chinese firm, confirms IOActive security advisory. Lenovo has also thankedMilvich and Talmat of IOActive for reporting issues to the company in a responsible manner.

To recall, Lenovo faced much flak back in February when it was found to be pre-installing Superfish software, classified as adware by researchers, on its computers. After defending the software as a shopping tool to aid users, the world's largest PC maker promised to stop pre-installing such software.

Comments

For the latest tech news and reviews, follow Gadgets 360 on X, Facebook, WhatsApp, Threads and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel. If you want to know everything about top influencers, follow our in-house Who'sThat360 on Instagram and YouTube.

Further reading: Laptops, Lenovo, Lenovo Computers, Malicious Software, PC
Ketan Pratap
Ketan Pratap
Ketan Pratap is the editor at Gadgets 360 - with over 12 years of experience covering the technology domain. With a breadth and depth of knowledge in the field, he's done extensive work across news, features, reviews, and opinion pieces. But what's truly inspiring about Ketan is how he spends his free time. He's often found gazing at snow-capped mountains from over 20,000 feet while sitting on the hood of his car, taking in the breathtaking beauty of nature. His passion for the great ...More
Nintendo Posts Annual Profit on Wii U Sales Growth, Weak Yen
Rahul Gandhi Makes Twitter Debut With @OfficeOfRG Account

Related Stories

Lenovo PCs Have 'Massive Security Risk' Say Researchers; Fix Issued
Comment
Share on Facebook Gadgets360 Twitter Share Tweet Snapchat Share Reddit Comment google-newsGoogle News
 
 

Advertisement

Featured
Follow Us
Latest Videos
More Videos
Tech News in Hindi
More Technology News in Hindi

Advertisement

Popular on Gadgets
Latest Gadgets
Popular Mobile Brands
#Trending Stories
  1. Why Elon Musk Postponed His India Visit to Later in the Year
  2. OnePlus 11R Solar Red With 8GB RAM, 128GB Storage Debuts in India: See Price
  3. Xiaomi's HyperOS Is Now Coming to the Redmi Note 13 Series in India
  4. Leaked Images of the Pixel 9 Pro Suggest the Phone Could Look Like This
#Latest Stories
  1. Google Pixel 9 Pro Spotted in Leaked Hands-On Images Next to iPhone 15 Pro Max
  2. Elon Musk Postpones India Visit Due to 'Very Heavy Tesla Obligations'
  3. Bitcoin ‘Halving’ Software Update Cuts Supply of New Tokens in Threat to Miners
  4. Xiaomi 14 Series 'AI Treasure Chest' With Several AI Tools in Testing, Could Debut This Year: Report
  5. Redmi Note 13 5G Series HyperOS Update Based on Android 14 Begins Rolling Out in India
  6. YouTube Reportedly Rolling Out Support for 8K Resolution Videos on the Meta Quest
  7. Lenovo Yoga Slim 7 (2024) Design Spotted in Leaked Renders; Could Debut as First Snapdragon X Elite Laptop
  8. Samsung Galaxy Z Flip 6 With Snapdragon 8 Gen 3 SoC for Galaxy Allegedly Surfaces on Geekbench
  9. Itel S24 India Launch Teased; Confirmed to Come With 108-Megapixel Main Camera, MediaTek Helio G91 SoC
  10. BWA Lays Down Self-Regulatory Guidelines on Token Listings for Indian Crypto Exchanges
Gadgets 360 is available in
Follow Us
Download Our Apps
App Store App Store
Available in Hindi
App Store
© Copyright Red Pixels Ventures Limited 2024. All rights reserved.
Trending Products »
Latest Tech News »