Security researchers Michael Milvich and Sofiane Talmat of IOActive discovered a 'massive security risk' in the Lenovo System Update software in February, and reported the issue to the world's biggest PC maker. The researchers have now made the vulnerabilities public after Lenovo has issued a patch for the application.
The Chinese company has posted a patch for consumers on its support page titled "Lenovo System Update Privilege Escalation." Affected machines in the Lenovo lineup are the Lenovo ThinkPad, ThinkCentre, ThinkStation, and other Lenovo laptop (V, B, K, and E) series. Users of these machines can either run Lenovo System Update and install the new version when prompted by the app, or download and install the latest version manually.
Milvich and Talmat of IOActive have detailed three vulnerabilities in the Lenovo System Update software in a security advisory. According to the IOActive security advisory, the CVE-2015-2219 vulnerability allows local least-privileged users to run commands as the system user. The CVE-2015-2233 vulnerability, on the other hand, allows a hacker to replace the trusted company software with any malicious software.
"Remote attackers who can perform a man in the middle attack (the classic coffee shop attack) can exploit this to swap Lenovo's executables with a malicious executable. The System Update uses TLS/SSL to secure its communications with the update server, which should protect against "coffee shop" style attacks," notes the IOActive security advisory. Lastly, CVE-2015-2234 vulnerability allows local unprivileged users to run commands as an administrative user.
All the vulnerabilities reported by security researchers have been fixed in the new version of the Lenovo System Update software released by the Chinese firm, confirms IOActive security advisory. Lenovo has also thankedMilvich and Talmat of IOActive for reporting issues to the company in a responsible manner.
To recall, Lenovo faced much flak back in February when it was found to be pre-installing Superfish software, classified as adware by researchers, on its computers. After defending the software as a shopping tool to aid users, the world's largest PC maker promised to stop pre-installing such software.