Security researchers found another 'massive security risk' in Lenovo computers

Chinese PC maker issues a patch to fix multiple vulnerabilities

By Rich McCormick on May 6, 2015 12:08 am Email
Three months after Lenovo was called out for installing dangerous software onto
its computers, the world's largest PC manufacturer has once again been accused o
f lax security measures. Security firm IOActive reports that it discovered major
vulnerabilities in Lenovo's update system that could allow hackers to bypass va
lidation checks, replace legitimate Lenovo programs with malicious software, and
run commands from afar.
THE VULNERABILITIES WERE FOUND IN FEBRUARY
Through one of the vulnerabilities, IOActive researchers explained that attacker
s could create a fake certificate authority to sign executables, allowing malici
ous software to masquerade as official Lenovo software. Should a Lenovo owner up
date their machine in a coffee shop, another individual could conceivably use th
e security hole to swap Lenovo's programs with their own
what the researchers ca
ll the "classic coffee shop attack." The security hole, along with others descri
bed by IOActive, are present in Lenovo System Update 5.6.0.27 and earlier versio
ns.
The vulnerabilities, which were first discovered by the security specialists bac
k in February, were brought to Lenovo's attention at the time in order to allow
the Chinese firm to develop a fix. The company issued a patch last month that re
moves the bugs, but owners of Lenovo machines will need to download the security
update themselves in order to avoid having their computers compromised by what
IOActive calls a "massive security risk." Lenovo may have reacted quickly to the
problems, but as the world's number one PC manufacturer tries to grow even bigg
er, it's yet another embarrassing security hole in its software.
THERE ARE 20 COMMENTS.
SHOW SPEED READING TIPS AND SETTINGS
treehuggr
Reason #5750 to get a surface pro over lenovo, or any other oem notebooks.
Posted onMay 6, 2015 | 12:11 AMReply
M_Swizzle M_Swizzle
Windows gets security patches too, along with every os and program .. That s what mo
nthly patch Tuesdays are for at MS.
Lenovo did right, they patched it when discovered. They were prudent.
Posted onMay 6, 2015 | 12:27 AMUp Reply
TinyLittleSeer TinyLittleSeer
Whilst I hate OEM crapware as much as the next person this is actually a textbook
example of how to handle a security flaw.
Researchers found a vulnerability and notified Lenovo who promptly fixed the vul
nerability and issued a patch, apparently before it was exploited in the wild.
This is a non-issue and nothing like the Superfish adware.
Posted onMay 6, 2015 | 12:55 AMUp Reply
hamsah hamsah
Surface is not a laptop. Lenovos hardware just forms windows high end. As the ot
hers have said, problem found, problem fixed, this is how it should be done.

Posted onMay 6, 2015 | 2:28 AMUp Reply

Ezhik Ezhik
What about the TrackPoint, the rollcage, replaceable batteries, DVD drives, more
than 1 USB port, LAN, VGA, eSATA, mini-PCIe, user repairability, extendable RAM
, replaceable storage, and fingerprint readers?
Posted onMay 6, 2015 | 4:16 AMUp Reply
ldrn ldrn
Those are all reasons in the other column.
TrackPoint

@ _ @

Posted onMay 6, 2015 | 4:33 AMUp Reply

Chaz_UK Chaz_UK
Screw OEM preinstalled crap.
First thing I do to a computer is install a fresh, virgin install of Windows.
Posted onMay 6, 2015 | 12:16 AMReply
M_Swizzle M_Swizzle
Windows and android have vulnerabilities as well that require patching . I understa
nd getting upset about the last event with potential ad injection software, but
this recent event is a discovered vulnerability that was patched when discovered
, just as MS, Google, or any good company does.
In other words, nothing to see here.
Posted onMay 6, 2015 | 12:25 AMUp Reply
trojan__market trojan__market
which is why I buy laptops from Microsoft store or if there is a good deal the f
irst thing I do use windows key to reinstall OS before even using it. bloatwares
are always problemistic
Posted onMay 6, 2015 | 12:41 AMUp Reply
Sorto
When W10 launches and you can buy W10 devices you no longer really have to do th
at, especially for people wo can t even buy one from MS like we in Europe.
I d imagine you will probably see some Tutorials on various websites once they "di
scover" that feature, because in Windows 10 OEMs can no longer put a recovery im
age that can be used for online reset/refresh and instead have a little image th
at literally only has changes in it so you can delete the package or rename it a
nd when you Refresh or reset Windows you get a clean Windows, it s a bit more work
but it s a pretty good option if you can t buy a signature PC and it doesn t require
you to download some .iso etc to re-install windows.
Posted onMay 6, 2015 | 3:06 AMUp Reply
ldrn ldrn
That s a lot like what I do, only it s a different OS :smile:
Posted onMay 6, 2015 | 4:34 AMUp Reply
getsir getsir
security vulnerabilities or backdoors? why do i get a feeling that these might b
een intentionally left security bugs under the orders of Chinese government?
Posted onMay 6, 2015 | 12:46 AMReply
NigelTufnel
Exactly. This is most likely not a mistake.
Posted onMay 6, 2015 | 1:02 AMUp Reply

jeevanmn jeevanmn
The truth is out
Posted onMay 6, 2015 | 2:52 AMUp Reply
echomrg echomrg
nope, the "bugs" left under orders by the Chinese government aren t found so easil
y.
Posted onMay 6, 2015 | 3:36 AMUp Reply
JohnDavidson
Lenovo was better under IBM.
Posted onMay 6, 2015 | 1:36 AMReply
aThingOrTwo aThingOrTwo
Thinkpad?
Posted onMay 6, 2015 | 3:51 AMUp Reply
iChiranjeeb iChiranjeeb
security hole found and fixed. nothing to see here. move on.
Posted onMay 6, 2015 | 2:03 AMReply
Ezhik Ezhik
No, let s keep shaming OEMs until we get crapless vanilla Windows on all new lapto
ps.
Posted onMay 6, 2015 | 4:18 AMUp Reply
Visa Declined Visa Declined
I m glad this shit isn t happening to Asus.
Posted onMay 6, 2015 | 4:13 AMReply