Dear Visitor,

Our system has found that you are using an ad-blocking browser add-on.

We just wanted to let you know that our site content is, of course, available to you absolutely free of charge.

Our ads are the only way we have to be able to bring you the latest high-quality content, which is written by professional journalists, with the help of editors, graphic designers, and our site production and I.T. staff, as well as many other talented people who work around the clock for this site.

So, we ask you to add this site to your Ad Blocker’s "white list" or to simply disable your Ad Blocker while visiting this site.

Continue on this site freely
  HOME     MENU     SEARCH     NEWSLETTER    
CUSTOMER RELATIONSHIP MANAGEMENT NEWS. UPDATED ABOUT A MINUTE AGO.
You are here: Home / Network Security / Lenovo PCs Have High Security Risk
Lenovo Computers Have 'Massive Security Risk'
Lenovo Computers Have 'Massive Security Risk'
By Shirley Siluk / CRM Daily Like this on Facebook Tweet this Link thison Linkedin Link this on Google Plus
PUBLISHED:
MAY
07
2015
This year has proved to be a bumpy one for China-based Lenovo, whose computers were again found to contain several security vulnerabilities. The latest three "high" severity vulnerabilities were discovered in February by researchers at IOActive.

Earlier this year, Lenovo's consumer notebooks were found to include preloaded adware called Superfish that could compromise users' data. The company apologized for including the software on its devices and pledged to eliminate any "bloatware" on future computers.

The three latest vulnerabilities were discovered by IOActive researchers Michael Milvich and Sofiane Talmat, who then notified Lenovo about the problems. Lenovo released patches for all three issues on April 3.

All ThinkPads, Other Devices Affected

Lenovo is the world's largest maker of consumer PCs. In releasing its shipment figures for the first quarter of 2015 last month, the company reported that it had a 19.6-percent share of the world market and had achieved a new record market share of 11.8 percent in the U.S.

The company released a statement on Wednesday saying its development and security teams had been working with IOActive to address the latest vulnerabilities, and had updated its Lenovo System Update on April 1.

While the System Update should prompt users to automatically install a new program to resolve the latest vulnerabilities, users can also run the updater manually. Among the devices that might have been affected by the flaws discovered by IOActive are all ThinkPads, all ThinkCentres, and all ThinkStations as well as computers in the Lenovo V/B/K/E series.

When Lenovo issued its apology earlier this year, it noted that the Superfish incident reinforced the principle that "customer experience, security and privacy must be our top priorities . . . Our goal is clear: To become the leader in providing cleaner, safer PCs."

'Massive Security Risk'

In their technical analysis, Milvich and Talmat describe three vulnerabilities, all of which affected Lenovo's previous version of its System Update. Those flaws included the use of a predictable security token, the presence of signature validation errors and a so-called "race condition" in which multiple operations that need to be performed in a certain sequence "race" one another to complete.

With the Lenovo System Update race condition, two executables were competing: verification of the signature and execution of the saved executable. This opened up the system to the possibility that a local attacker could run malicious code instead of the intended executable without encountering privilege problems. Such an attack could allow a hacker to gain elevated permissions to access a user's system, Milvich and Talmat noted.

The other two vulnerabilities that IOActive identified included the use of a predictable security token that could allow a malcious, unprivileged user to arbitrarily execute commands during system updates, which "represents a massive security risk," Milvich and Talmat said. Another flaw with signature validation could allow hackers to "bypass signature validation checks and replace trusted Lenovo applications with malicious applications," they added.

Tell Us What You Think
Comment:

Name:

Ellen Miller:
Posted: 2016-09-30 @ 9:05am PT
I just bought a Lenovo idea pad 310 15 touchscreen laptop Intel core I5. From Costco. Was this a mistake? Have they corrected the problem?

ricky jones:
Posted: 2015-05-12 @ 8:06am PT
some one better fix my computer

Francolin:
Posted: 2015-05-08 @ 3:05pm PT
I have a lenovo all in one computer, Which I bought in early 2014. I have a lot of problems with adware. I also have an older computer that runs Win XP, no antivirus and the Win updates are things of the past. I never had or have any bull like that with the old computer. I will never buy any lenovo product again.

LenovoIN:
Posted: 2015-05-07 @ 3:16pm PT
This news has been out for almost a month. Responsible users would have updated this tool, being that if they launched an outdated version, they are prompted to update the tool.
Just like your OS, drivers, software etc.... these tools have to be updated.
The advisory re: this flaw came out April 14, 2015.
https://support.lenovo.com/us/en/product_security/lsu_privilege

BePrecise:
Posted: 2015-05-07 @ 2:44pm PT
Wrong article title. It is not Lenovo Computers that have 'Massive Security Risk'. It is the pre-installed software, starting with the mother of all bloatware, Windows. Security-conscious users wipe out the pre-installed bloatware and make a clean start, ideally with Ubuntu.

Like Us on FacebookFollow Us on Twitter
MORE IN NETWORK SECURITY

NETWORK SECURITY SPOTLIGHT
President Trump has banned the U.S. government from using Kaspersky. The Russian cybersecurity company has been accused of -- but denied -- being in cahoots with Kremlin espionage.

CRM DAILY
NEWSFACTOR NETWORK SITES
NEWSFACTOR SERVICES
© Copyright 2017 NewsFactor Network. All rights reserved. Member of Accuserve Ad Network.