Another 'massive security risk' found in Lenovo computers, company issues a patch

security_risk

Lenovo seems to be having a bad year. It hasn’t been long since the largest PC vendor was caught shipping its laptops with "Superfish" adware, and now we’re learning about some new vulnerabilities found in its computers. But before you slam your fist on your computer desk in dismay, the good news is that Lenovo has the patch ready, and you can download it right away.

Security firm IOActive reports vulnerabilities in Lenovo’s system update file. In a report titled "Lenovo’s System Update Uses a Predictable Security Token", the firm notes (PDF) that these vulnerabilities could allow hackers to bypass validation checks, and replace legitimate Lenovo applications with malicious programs and allow hackers to remotely run programs.

"Arbitrarily executing commands sent by a malicious unprivileged user represents a massive security risk. Lenovo does attempt to restrict access to the System Update Service by requiring clients of the named pipe to authenticate by including a security token with the command the unprivileged user wishes to execute", the company says.

"Unfortunately this token is a predictable token and can be generated by any user without requiring any elevated permissions. As a result, an attacker who is unprivileged can perform the same operations as the System Update. The attacker can create a valid token and include it with a command to be executed. The SUService.exe will then execute the command as the SYSTEM user".

IOActive notified Lenovo regarding these vulnerabilities in February, and the computer manufacturer rolled out a patch for it in April. We contacted Lenovo and a spokesperson told us that users will be notified about this update, and alternatively they can download the patch manually from company’s website. In a statement to BetaNews, the company urges users to update their computers. "Lenovo encourages its users to keep their systems up to date by allowing automatic updates to run when prompted".

If you have a Lenovo PC, we advise you to snag the latest update which replaces the token authentication method. It is available through the System Update. Alternatively, you can download it from here.

Do you think these incidences will damage the company's reputation? Let us know your views in the comments section below.

Photo credit: Olivier Le Moal / Shutterstock

8 Responses to Another 'massive security risk' found in Lenovo computers, company issues a patch

© 1998-2024 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.