The Channel logo


By | John Leyden 6th May 2015 14:02

Lenovo system update flaws plugged, security world not impressed

L is for Lenovo, lax, lackadaisical, loophole and many other words

Lenovo faces renewed accusations of lax security practices - just three months after the Superfish debacle - after it was obliged to fix flaws in its software update system.

Security researchers at IOActive uncovered a mechanism that would have allowed hackers to create a fake certificate authority in order to sign executables. The trick could be used to replace legitimate Lenovo programs with malware by hackers on the same untrusted wireless network, of the type commonly found in coffee-shops, pubs and transport hubs, as IOActive explains:

Local and potentially remote attackers can bypass signature validation checks and replace trusted Lenovo applications with malicious applications. These applications will then be run as a privileged user. The System Update downloads executables from the Internet and runs them.

Remote attackers who can perform a man in the middle attack (the classic coffee shop attack) can exploit this to swap Lenovo’s executables with a malicious executable.

Separate vulnerabilities - also affecting Lenovo System Update and earlier versions - meant that least-privileged users could run commands as a system user or an unprivileged user could run commands as an administrator*. IOActive discovered the vulnerabilities in February before notifying Lenovo and liaising in the development of a combined ix, released last month.

More details on the vulnerabilities can be found in an advisory by IOActive (here, pdf).

Security experts in academia and elsewhere were unimpressed that Lenovo had allowed a fairly basic security mistake to slip under its radar. Examples of their world-weary reaction on Twitter can be found here, here and here.

"Lenovo’s development and security teams worked directly with IOActive regarding their Lenovo System Update vulnerability findings, and we value their expertise in identifying and responsibly reporting them," the computer maker said in a statement today.

Lenovo created a storm of controversy in February with its pre-installed Superfish crapware, which ran man-in-the-middle attacks against consumers in order to sling ads. The Chinese PC maker initially dragged its heels and insisted it had done nothing wrong before bowing to pressure and reversing its stance, saying it was done with bloatware. ®

comment icon Read 14 comments on this article or post a comment alert Send corrections


Frank Jennings

What do you do? Use manual typwriters or live in a Scottish croft? Our man advises
A rusty petrol pump at an abandoned gas station. Pic by Silvia B. Jakiello via shutterstock

Trevor Pott

Among other things, Active Directory needs an overhaul
Baby looks taken aback/shocked/affronted. Photo by Shutterstock

Kat Hall

Plans for 2 million FTTP connections in next four years 'not enough'
Microsoft CEO Satya Nadella


Suit-and-tie-wearing man tries to meditate, take deep breaths in faux yoga pose. Photo by Shutterstock
Emotional intelligence, not tech skills, is the way to woo suits
League of gentlemen poster - Tubbs and Edward at the local shop. Copyright BBC
One reselling man tells his tale of woe