Lenovo exposes PC users to 'massive security threat'

By Silky Malhotra | Updated 6 May 2015
Lenovo exposes PC users to 'massive security threat'
  • Security researchers find another 'security threat' in Lenovo computers.

Security researchers have discovered major vulnerabilities in Lenovo's PCs that could allow hackers to bypass validation checks and replace legitimate Lenovo programs with malicious software to control the computers remotely.

advertisements

Security firm IOActive reports that attackers could create a fake certificate authority to sign executables, allowing malicious software to impersonate as official Lenovo software. When a Lenovo pc user updates their machine outside in a crowded place like a coffee shop, another individual could easily use the security hole to swap Lenovo's programs with their own. Researchers call this the "classic coffee shop attack." The security flaws are reportedly present in Lenovo System Update 5.6.0.27 as well as earlier versions.

The security threat was first discovered in February and were brought to Lenovo's attention in order to allow the Chinese firm to develop a fix. The pc maker quickly released a security patch last month to removes the bugs from the system, but users have to download the security update themselves to avoid having their computers compromised by what IOActive calls a major security threat. Researchers state, “Arbitrarily executing commands sent by a malicious unprivileged user represents a massive security risk.”

The researchers explain, “The System Update downloads executables from the internet and runs them. As a security measure Lenovo signs its executables and checks the signature before running them, but unfortunately does not completely verify them. As a result, an attacker can create a fake certificate authority which can then be used to sign executables. Remote attackers who can perform a man-in-the-middle attack (the classic coffee shop attack) can exploit this to swap Lenovo's executables with a malicious executable.”

advertisements

Earlier this year, one of the world's largest PC makers was accused of installing adware on its new computers, that displays ads into search engine results without the user's permission. The software could also be used for man-in-the-middle attacks and even take control of SSL/TLS connections to websites. After the news was made public, Lenovo had issued a public apology for installing the adware. Peter Hortensius, Lenovo’s Chief Technology Officer had said in an interview, “We messed up badly here. We made a mistake. Our guys missed it. We’re not trying to hide from the issue — we’re owning it.”

Source: ioactive

advertisements
Silky Malhotra
advertisements
ASK DIGIT

Recent Questions

Windows 9 to remove the Metro interface for desktop PC users
D JAYASHEELA
Sept 18, 2014
Responses 13
Tobias Langsjö
Sept 18, 2014
Tobias Langsjö
Sept 18, 2014
Aditya Malpure
Sept 19, 2014
drivil
Sept 19, 2014
Vivek Bhatt
Sept 20, 2014
Jyoti Prakash
Sept 21, 2014
t ruth pushpalatha
Sept 21, 2014
CHRISTIANA JOHN
Sept 21, 2014
satish k
Sept 21, 2014
samuel browne
Sept 21, 2014
D JAYASHEELA
Sept 21, 2014
kavish
Sept 21, 2014
CHRISTIANA JOHN
Sept 22, 2014
Comments
Be the first one to post the comment
Post a New Comment
You must be signed in to post a comment
advertisements