Lenovo PCs Have 'Massive Security Risk' Say Researchers; Fix Issued

Advertisement
By Ketan Pratap | Updated: 7 May 2015 15:19 IST
Lenovo's image has taken another hit with a report of another software-related glitch on its computers that could potentially allow attackers to bypass signature validation checks and replace trusted Lenovo applications with malware.

Security researchers Michael Milvich and Sofiane Talmat of IOActive discovered a 'massive security risk' in the Lenovo System Update software in February, and reported the issue to the world's biggest PC maker. The researchers have now made the vulnerabilities public after Lenovo has issued a patch for the application.

The Chinese company has posted a patch for consumers on its support page titled "Lenovo System Update Privilege Escalation." Affected machines in the Lenovo lineup are the Lenovo ThinkPad, ThinkCentre, ThinkStation, and other Lenovo laptop (V, B, K, and E) series. Users of these machines can either run Lenovo System Update and install the new version when prompted by the app, or download and install the latest version manually.

Milvich and Talmat of IOActive have detailed three vulnerabilities in the Lenovo System Update software in a security advisory. According to the IOActive security advisory, the CVE-2015-2219 vulnerability allows local least-privileged users to run commands as the system user. The CVE-2015-2233 vulnerability, on the other hand, allows a hacker to replace the trusted company software with any malicious software.

Advertisement

"Remote attackers who can perform a man in the middle attack (the classic coffee shop attack) can exploit this to swap Lenovo's executables with a malicious executable. The System Update uses TLS/SSL to secure its communications with the update server, which should protect against "coffee shop" style attacks," notes the IOActive security advisory. Lastly, CVE-2015-2234 vulnerability allows local unprivileged users to run commands as an administrative user.

Advertisement

All the vulnerabilities reported by security researchers have been fixed in the new version of the Lenovo System Update software released by the Chinese firm, confirms IOActive security advisory. Lenovo has also thankedMilvich and Talmat of IOActive for reporting issues to the company in a responsible manner.

To recall, Lenovo faced much flak back in February when it was found to be pre-installing Superfish software, classified as adware by researchers, on its computers. After defending the software as a shopping tool to aid users, the world's largest PC maker promised to stop pre-installing such software.

 

For the latest tech news and reviews, follow Gadgets 360 on X, Facebook, WhatsApp, Threads and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel. If you want to know everything about top influencers, follow our in-house Who'sThat360 on Instagram and YouTube.

Advertisement

Related Stories

Popular Mobile Brands
  1. Best Diwali 2025 Wishes, Quotes, and Facebook Statuses to Share
  2. Diwali 2025 Gift Ideas: Mobile Phones and Gadgets to Give to Your Loved Ones
  1. Mysterious Asteroid Impact Found in Australia, But the Crater is Missing
  2. Thanal Comes to OTT: Everything You Need to Know About This Tamil Action Thriller
  3. Madam Sengupta Is Now Streaming: Know Where to Watch This Bangla Crime Thriller
  4. Ryugu Samples Reveal Ancient Water Flow on Asteroid for a Billion Years
  5. Scientists Create Most Detailed Radio Map of Early Universe Using MWA
  6. Mayor of Kingstown Season 4 OTT Release: Know When, Where to Watch Jeremy Renner's Crime Drama
  7. Our Fault Is Streaming Now: Know All About This Gabriel Guevara and Nicole Wallace Starrer
  8. The Conjuring: Last Rites Is Now Streaming Online: Know Where to Watch the Latest Installment from the Horror Franchise
  9. Delhi Crime Season 3 OTT Release: Know When to Watch This Shefali Shah Thriller Series
  10. Vast Space to Launch Haven-1, the World’s First Private Space Station in 2026
Gadgets 360 is available in
Download Our Apps
Available in Hindi
© Copyright Red Pixels Ventures Limited 2025. All rights reserved.