Lenovo seems to find itself in yet again another PR disaster, after an elaborate study was published, revealing serious security flaws in its recent system updates. This scandals follows the Superfish fiasco of earlier this year, and does not bode well for the company. While Lenovo has released a patch to solve these security flaws since, the security specialist community isn’t likely to forget or forgive. Security experts at IOActive revealed that Lenovo’s recent updates lack severely on the security front, with more than 3 major exploitable loopholes.
One major issue lies in the possibility of hackers to create fake certificate authority, allowing them to access and use executables and install malware. Thus, legitimate Lenovo software would be replaced by hacker-induced programs via untrusted networks, such as free WiFi networks found in airports or coffee shops. “Local and potentially remote attackers can bypass signature validation checks and replace trusted Lenovo applications with malicious applications. These applications will then be run as a privileged user. The System Update downloads executables from the Internet and runs them.Remote attackers who can perform a man in the middle attack (the classic coffee shop attack) can exploit this to swap Lenovo’s executables with a malicious executable.” claim the experts.
Lenovo has since teamed up with IOActive experts in order to develop patches that would prevent such exploits and vulnerabilities. While it’s nice to see a prompt response from the computer manufacturer, it’s worrying to know that it consistently fails to allocate enough resources and expertise in ensuring the safety and privacy of its consumers. Lenovo issued a statement today, explaining that “”Lenovo’s development and security teams worked directly with IOActive regarding their Lenovo System Update vulnerability findings, and we value their expertise in identifying and responsibly reporting them”. Too little too late? Time will tell, but the negative PR is definitely adding up.
If you want to learn more about the exposed security flaws, you can read up on IOActive’s findings here.