Security researchers have discovered major vulnerabilities in Lenovo's PCs that could allow hackers to bypass validation checks and replace legitimate Lenovo programs with malicious software to control the computers remotely.
Security firm IOActive reports that attackers could create a fake certificate authority to sign executables, allowing malicious software to impersonate as official Lenovo software. When a Lenovo pc user updates their machine outside in a crowded place like a coffee shop, another individual could easily use the security hole to swap Lenovo's programs with their own. Researchers call this the "classic coffee shop attack." The security flaws are reportedly present in Lenovo System Update 18.104.22.168 as well as earlier versions.
The security threat was first discovered in February and were brought to Lenovo's attention in order to allow the Chinese firm to develop a fix. The pc maker quickly released a security patch last month to removes the bugs from the system, but users have to download the security update themselves to avoid having their computers compromised by what IOActive calls a major security threat. Researchers state, “Arbitrarily executing commands sent by a malicious unprivileged user represents a massive security risk.”
The researchers explain, “The System Update downloads executables from the internet and runs them. As a security measure Lenovo signs its executables and checks the signature before running them, but unfortunately does not completely verify them. As a result, an attacker can create a fake certificate authority which can then be used to sign executables. Remote attackers who can perform a man-in-the-middle attack (the classic coffee shop attack) can exploit this to swap Lenovo's executables with a malicious executable.”
Earlier this year, one of the world's largest PC makers was accused of installing adware on its new computers, that displays ads into search engine results without the user's permission. The software could also be used for man-in-the-middle attacks and even take control of SSL/TLS connections to websites. After the news was made public, Lenovo had issued a public apology for installing the adware. Peter Hortensius, Lenovo’s Chief Technology Officer had said in an interview, “We messed up badly here. We made a mistake. Our guys missed it. We’re not trying to hide from the issue — we’re owning it.”
Other Popular Deals
- The 5 best Windows laptops under 30,000 Rs in IndiaFirst look: HP Omen gaming laptop, Pavilion, Spectre
- Dell's new laptops & PCs at Computex 2015A look at Windows 10 devices shown off at Computex 2015
- First look: WPG NuPC (mini PC)Computex 2015: Gigabyte shows off its new gaming laptops
- First Look: Panasonic's newly launched Toughbook and...A look at Google's four new Chromebooks launched in India
- 22 upcoming laptops powered by Intel 5th Gen Broadwell...Computex 2015: ASUS unveils X and K series laptops
- Top 10 Gaming laptops you can buy under 50K (November 2015)Gaming Laptops between Rs. 50000 to Rs. 60000
- 8 Windows Hybrid Laptops you can buy in India todayTop 5 business laptop deals under Rs 40,000 (Jan 2014)
- Upcoming Gaming laptops that will make you droolTop 3 budget laptops under Rs. 30,000 in India