The Channel logo


By | John Leyden 6th May 2015 14:02

Lenovo system update flaws plugged, security world not impressed

L is for Lenovo, lax, lackadaisical, loophole and many other words

Lenovo faces renewed accusations of lax security practices - just three months after the Superfish debacle - after it was obliged to fix flaws in its software update system.

Security researchers at IOActive uncovered a mechanism that would have allowed hackers to create a fake certificate authority in order to sign executables. The trick could be used to replace legitimate Lenovo programs with malware by hackers on the same untrusted wireless network, of the type commonly found in coffee-shops, pubs and transport hubs, as IOActive explains:

Local and potentially remote attackers can bypass signature validation checks and replace trusted Lenovo applications with malicious applications. These applications will then be run as a privileged user. The System Update downloads executables from the Internet and runs them.

Remote attackers who can perform a man in the middle attack (the classic coffee shop attack) can exploit this to swap Lenovo’s executables with a malicious executable.

Separate vulnerabilities - also affecting Lenovo System Update and earlier versions - meant that least-privileged users could run commands as a system user or an unprivileged user could run commands as an administrator*. IOActive discovered the vulnerabilities in February before notifying Lenovo and liaising in the development of a combined ix, released last month.

More details on the vulnerabilities can be found in an advisory by IOActive (here, pdf).

Security experts in academia and elsewhere were unimpressed that Lenovo had allowed a fairly basic security mistake to slip under its radar. Examples of their world-weary reaction on Twitter can be found here, here and here.

"Lenovo’s development and security teams worked directly with IOActive regarding their Lenovo System Update vulnerability findings, and we value their expertise in identifying and responsibly reporting them," the computer maker said in a statement today.

Lenovo created a storm of controversy in February with its pre-installed Superfish crapware, which ran man-in-the-middle attacks against consumers in order to sling ads. The Chinese PC maker initially dragged its heels and insisted it had done nothing wrong before bowing to pressure and reversing its stance, saying it was done with bloatware. ®

comment icon Read 14 comments on this article or post a comment alert Send corrections


Baby looks taken aback/shocked/affronted. Photo by Shutterstock

Kat Hall

Plans for 2 million FTTP connections in next four years 'not enough'
Microsoft CEO Satya Nadella

Chris Mellor

Thousands of layoffs announced as spinning rust enters its death spiral


STRASBOURG, JUNE 29, 2016: The seat of the European Parliament. by Marco Aprile for shutterstock. EDITORIAL USE ONLY
Plan b, image via Shutterstock
EU workers, new markets: post-Brexit pressure on May & Co
Tough question, pic via Shutterstock
Honest mistake with your licensing? Audit police look at it on a 'case by case basis'