Lenovo exposes PC users to 'massive security threat'

By Silky Malhotra | Published on 06 May 2015
HIGHLIGHTS
  • Security researchers find another 'security threat' in Lenovo computers.

Lenovo exposes PC users to 'massive security threat'

Security researchers have discovered major vulnerabilities in Lenovo's PCs that could allow hackers to bypass validation checks and replace legitimate Lenovo programs with malicious software to control the computers remotely.

Security firm IOActive reports that attackers could create a fake certificate authority to sign executables, allowing malicious software to impersonate as official Lenovo software. When a Lenovo pc user updates their machine outside in a crowded place like a coffee shop, another individual could easily use the security hole to swap Lenovo's programs with their own. Researchers call this the "classic coffee shop attack." The security flaws are reportedly present in Lenovo System Update 5.6.0.27 as well as earlier versions.

The security threat was first discovered in February and were brought to Lenovo's attention in order to allow the Chinese firm to develop a fix. The pc maker quickly released a security patch last month to removes the bugs from the system, but users have to download the security update themselves to avoid having their computers compromised by what IOActive calls a major security threat. Researchers state, “Arbitrarily executing commands sent by a malicious unprivileged user represents a massive security risk.”

The researchers explain, “The System Update downloads executables from the internet and runs them. As a security measure Lenovo signs its executables and checks the signature before running them, but unfortunately does not completely verify them. As a result, an attacker can create a fake certificate authority which can then be used to sign executables. Remote attackers who can perform a man-in-the-middle attack (the classic coffee shop attack) can exploit this to swap Lenovo's executables with a malicious executable.”

Earlier this year, one of the world's largest PC makers was accused of installing adware on its new computers, that displays ads into search engine results without the user's permission. The software could also be used for man-in-the-middle attacks and even take control of SSL/TLS connections to websites. After the news was made public, Lenovo had issued a public apology for installing the adware. Peter Hortensius, Lenovo’s Chief Technology Officer had said in an interview, “We messed up badly here. We made a mistake. Our guys missed it. We’re not trying to hide from the issue — we’re owning it.”

Source: ioactive

logo
Silky Malhotra

email

Advertisements

Trending Articles

Advertisements

LATEST ARTICLES View All

Advertisements

Hot Deals View All

HP 15 db1069AU 15.6-inch Laptop (3rd Gen Ryzen 3 3200U/4GB/1TB HDD/Windows 10/MS Office/Radeon Vega 3 Graphics), Jet Black
HP 15 db1069AU 15.6-inch Laptop (3rd Gen Ryzen 3 3200U/4GB/1TB HDD/Windows 10/MS Office/Radeon Vega 3 Graphics), Jet Black
₹ 30669 | $hotDeals->merchant_name
Mi Notebook 14 Intel Core i5-10210U 10th Gen Thin and Light Laptop(8GB/256GB SSD/Windows 10/Intel UHD Graphics/Silver/1.5Kg), XMA1901-FC+Webcam
Mi Notebook 14 Intel Core i5-10210U 10th Gen Thin and Light Laptop(8GB/256GB SSD/Windows 10/Intel UHD Graphics/Silver/1.5Kg), XMA1901-FC+Webcam
₹ 41999 | $hotDeals->merchant_name
HP 14q cs2002TU 14-inch Laptop (Celeron N4020/4GB/256GB SSD/Windows 10 Home/Integrated Graphics), Jet Black
HP 14q cs2002TU 14-inch Laptop (Celeron N4020/4GB/256GB SSD/Windows 10 Home/Integrated Graphics), Jet Black
₹ 26122 | $hotDeals->merchant_name
Lenovo Ideapad S145 7th Gen Core i3 15.6-inch FHD Thin and Light Laptop (4GB/1TB/Windows 10/MS Office 2019/Textured Black/1.85Kg), 81VD002PIN
Lenovo Ideapad S145 7th Gen Core i3 15.6-inch FHD Thin and Light Laptop (4GB/1TB/Windows 10/MS Office 2019/Textured Black/1.85Kg), 81VD002PIN
₹ 36490 | $hotDeals->merchant_name
Dell inspiron 5509
Dell inspiron 5509
₹ 46989 | $hotDeals->merchant_name
DMCA.com Protection Status