Few months after Lenovo’s SuperFish fiasco ended, the company is now back in the spotlight for a new security risk.
Security firm IOActive reported that it has discovered major vulnerabilities in Lenovo’s update system. The report claims that the vulnerabilities can give hackers access to bypass the company’s validation checks, and allow them to replace legitimate software with malicious software running in disguise, unspotted.
Should a Lenovo owner update their machine in a coffee shop, another individual could conceivably use the security hole to swap Lenovo’s programs with their own — what the researchers call the “classic coffee shop attack.” The security hole, along with others described by IOActive, are present in Lenovo System Update 188.8.131.52 and earlier versions, the Verge wrote.
We’ve reached out for comments and were able to get the following statement by a Lenovo Spokesperson:
Lenovo’s development and security teams worked directly with IOActive regarding their System Update vulnerability findings, and we value their expertise in identifying and responsibly reporting them. Lenovo released an updated version of System Update on April 1st which resolves these vulnerabilities and subsequently published a security advisory in coordination with IOActive at: https://support.lenovo.com/us/en/product_security/lsu_privilege. Existing installations of System Update will prompt the user to automatically install the updated version when the application is run. Alternatively, users may manually update System Update as described in the security advisory. Lenovo recommends that all users update System Update to eliminate the vulnerabilities reported by IOActive.