It has barely been three months since Lenovo was embroiled in controversy over its “Superfish” adware installations yet it seems the world’s largest PC maker has taken another PR hit. This time however, it isn’t about Lenovo installing malware on its products but about not being a good guardian of its critical software. A couple of vulnerabilities found in Lenovo’s System Update service practically leaves any Lenovo PC user open to hackers and infection, using nothing more complicated than a man-in-the-middle (MITM) attack, one of the most basic weapons criminals have in their arsenal.
That software have bugs is almost a fact of life, but there are some software that should be even more safeguarded against security holes. One example is the Lenovo System Update system which Lenovo preinstalls on all its PCs. It’s purpose is to let users install the latest drivers and security patches from Lenovo and software vendors. Ironically, it is also the means hackers can take control of a computer.
Three vulnerabilities have been found to work against Lenovo’s security measures. In particular CVE-2015-2233 would allow allow local (as in, in the same coffee shop) or remote hackers to bypass Lenovo’s security checks in order to swap out valid program updates for malware. Add to this vulnerabilities that allow such users to gain administrator privileges, and you’ve got a recipe for disaster.
The vulnerabilities were discovered by security firm IOActive, who reported them to Lenovo and is now disclosing them after giving the PC maker a chance to roll out fixes. Lenovo claims that the security holes have been patched up by fixes available since April 1 this year. IOActive, however, points out that users will still have to download the fixes themselves, which implicitly requires them to actually know about the problem in the first place.
In its latest security advisory, Lenovo says that all users will be prompted to install the latest version of System Update that plugs up the holes, though manual updates are also available as well. So far, no incidents taking advantage of this vulnerability have been reported. Lenovo perhaps got lucky this time.