Lenovo Puts Users At Massive Security Risk

Lenovo Puts Users At Massive Security Risk

Earlier this year, we have reported that Lenovo laptops were shipping with a preinstalled adware called superfish that left user data vulnerable. This time, researchers from IOActive has discovered vulnerabilities in Lenovo’s System Update service. One of them could be used by hackers to remotely provide "trusted" malicious system updates (CVE-2015-2233).

The another vulnerability in Lenovo’s security system allows attackers to gain high level access to the PC using basic user profiles (CVE-2015-2219). If the exploitation is successful, an attacker can run any malicious programs on the target PC.

Researchers said, "Arbitrarily executing commands sent by a malicious unprivileged user represents a massive security risk. Lenovo does attempt to restrict access to the System Update Service by requiring clients of the named pipe to authenticate by including a security token with the command the unprivileged user wishes to execute. Unfortunately this token is a predictable token and can be generated by any user without requiring any elevated permissions."

A third vulnerability, CVE-2015-2234, allows local unprivileged users to run commands as an administrative user.

The vulnerabilities were first discovered by the IOActive team back in February.

Affected Product:

Lenovo System Update (5.6.0.27 and earlier versions).

How To Protect Yourself ?

If you are using Lenovo hardware with System Update 5.6.0.27 or earlier, update it as soon as you can. 

No comments

Powered by Blogger.