Lenovo exposes PC users to 'massive security threat'

By Silky Malhotra | Published on 06 May 2015
Lenovo exposes PC users to 'massive security threat'
HIGHLIGHTS

Security researchers find another 'security threat' in Lenovo computers.

Advertisements

Top reasons to buy the vivo X50 Pro smartphone

Here’s a look at what makes the vivo X50 Pro one of the best smartphones out there

Click here to know more

Security researchers have discovered major vulnerabilities in Lenovo's PCs that could allow hackers to bypass validation checks and replace legitimate Lenovo programs with malicious software to control the computers remotely.

Security firm IOActive reports that attackers could create a fake certificate authority to sign executables, allowing malicious software to impersonate as official Lenovo software. When a Lenovo pc user updates their machine outside in a crowded place like a coffee shop, another individual could easily use the security hole to swap Lenovo's programs with their own. Researchers call this the "classic coffee shop attack." The security flaws are reportedly present in Lenovo System Update 5.6.0.27 as well as earlier versions.

The security threat was first discovered in February and were brought to Lenovo's attention in order to allow the Chinese firm to develop a fix. The pc maker quickly released a security patch last month to removes the bugs from the system, but users have to download the security update themselves to avoid having their computers compromised by what IOActive calls a major security threat. Researchers state, “Arbitrarily executing commands sent by a malicious unprivileged user represents a massive security risk.”

The researchers explain, “The System Update downloads executables from the internet and runs them. As a security measure Lenovo signs its executables and checks the signature before running them, but unfortunately does not completely verify them. As a result, an attacker can create a fake certificate authority which can then be used to sign executables. Remote attackers who can perform a man-in-the-middle attack (the classic coffee shop attack) can exploit this to swap Lenovo's executables with a malicious executable.”

Earlier this year, one of the world's largest PC makers was accused of installing adware on its new computers, that displays ads into search engine results without the user's permission. The software could also be used for man-in-the-middle attacks and even take control of SSL/TLS connections to websites. After the news was made public, Lenovo had issued a public apology for installing the adware. Peter Hortensius, Lenovo’s Chief Technology Officer had said in an interview, “We messed up badly here. We made a mistake. Our guys missed it. We’re not trying to hide from the issue — we’re owning it.”

Source: ioactive

logo
Silky Malhotra

Digit caters to the largest community of tech buyers, users and enthusiasts in India. The all new Digit in continues the legacy of Thinkdigit.com as one of the largest portals in India committed to technology users and buyers. Digit is also one of the most trusted names when it comes to technology reviews and buying advice and is home to the Digit Test Lab, India's most proficient center for testing and reviewing technology products.

We are about leadership-the 9.9 kind! Building a leading media company out of India.And,grooming new leaders for this promising industry.

DMCA.com Protection Status