Chinese PC maker issues a patch to fix multiple vulnerabilities
Three months after Lenovo was found to be installing dangerous software onto its computers, the world’s largest PC manufacturer has again been accused of poor security measures. Security firm IOActive reported that it discovered major vulnerabilities in Lenovo’s update system that could allow hackers to bypass validation checks, replace legitimate Lenovo programs with malicious software, and run commands from afar.
Through one of the vulnerabilities, IOActive researchers explained that attackers could create a fake certificate authority to sign executables, allowing malicious software to masquerade as official Lenovo software. If a Lenovo owner updates their machine in a coffee shop, another individual could conceivably use the security hole to swap Lenovo’s programs with their own. The security hole, along with others are present in Lenovo System Update 5.6.0.27 and earlier versions.
The vulnerabilities, which were first discovered by the security specialists back in February, were brought to Lenovo’s attention at the time in order to allow the Chinese firm to develop a fix. The company issued a patch last month that removes the bugs, but owners of Lenovo machines will need to download the security update themselves in order to avoid having their computers compromised by what IOActive calls a “massive security risk.” Lenovo may have reacted quickly to the problems, but as the world’s number one PC manufacturer tries to grow even bigger, it’s yet another embarrassing security hole in its software.
You can find the system update link here.
