Technology News
English Edition

Lenovo PCs Have 'Massive Security Risk' Say Researchers; Fix Issued

By Ketan Pratap | Updated: 7 May 2015 15:19 IST
Lenovo PCs Have 'Massive Security Risk' Say Researchers; Fix Issued
Click Here to Add Gadgets360 As A Trusted Source As A Preferred Source On Google
Advertisement
Lenovo's image has taken another hit with a report of another software-related glitch on its computers that could potentially allow attackers to bypass signature validation checks and replace trusted Lenovo applications with malware.

Security researchers Michael Milvich and Sofiane Talmat of IOActive discovered a 'massive security risk' in the Lenovo System Update software in February, and reported the issue to the world's biggest PC maker. The researchers have now made the vulnerabilities public after Lenovo has issued a patch for the application.

The Chinese company has posted a patch for consumers on its support page titled "Lenovo System Update Privilege Escalation." Affected machines in the Lenovo lineup are the Lenovo ThinkPad, ThinkCentre, ThinkStation, and other Lenovo laptop (V, B, K, and E) series. Users of these machines can either run Lenovo System Update and install the new version when prompted by the app, or download and install the latest version manually.

Milvich and Talmat of IOActive have detailed three vulnerabilities in the Lenovo System Update software in a security advisory. According to the IOActive security advisory, the CVE-2015-2219 vulnerability allows local least-privileged users to run commands as the system user. The CVE-2015-2233 vulnerability, on the other hand, allows a hacker to replace the trusted company software with any malicious software.

"Remote attackers who can perform a man in the middle attack (the classic coffee shop attack) can exploit this to swap Lenovo's executables with a malicious executable. The System Update uses TLS/SSL to secure its communications with the update server, which should protect against "coffee shop" style attacks," notes the IOActive security advisory. Lastly, CVE-2015-2234 vulnerability allows local unprivileged users to run commands as an administrative user.

All the vulnerabilities reported by security researchers have been fixed in the new version of the Lenovo System Update software released by the Chinese firm, confirms IOActive security advisory. Lenovo has also thankedMilvich and Talmat of IOActive for reporting issues to the company in a responsible manner.

To recall, Lenovo faced much flak back in February when it was found to be pre-installing Superfish software, classified as adware by researchers, on its computers. After defending the software as a shopping tool to aid users, the world's largest PC maker promised to stop pre-installing such software.

Comments

Get your daily dose of tech news, reviews, and insights, in under 80 characters on Gadgets 360 Turbo. Connect with fellow tech lovers on our Forum. Follow us on X, Facebook, WhatsApp, Threads and Google News for instant updates. Catch all the action on our YouTube channel.

Further reading: Laptops, Lenovo, Lenovo Computers, Malicious Software, PC
Ketan Pratap
Ketan Pratap
Ketan Pratap is the Editor at Gadgets 360. His primary role - debugging the tech hype, benchmarking the future, and compiling it all into precise news, features or reviews. He has spent over 14 years calling out vaporware and identifying the best tech. He’s your guide for everything from chipsets to smart-home meltdowns. When his own batteries are low, he heads for the hills—literally. He’s someone who prefers a remote mountain pass, appreciating a 12,000-foot view that no VR ...More
Nintendo Posts Annual Profit on Wii U Sales Growth, Weak Yen
Rahul Gandhi Makes Twitter Debut With @OfficeOfRG Account

Related Stories

Lenovo PCs Have 'Massive Security Risk' Say Researchers; Fix Issued
Comment
Facebook Gadgets360 Twitter Share Tweet Snapchat LinkedIn Reddit Comment google-newsGoogle News

Advertisement

Featured
Follow Us
Latest Videos
More Videos
Tech News in Hindi
More Technology News in Hindi

Advertisement

Popular on Gadgets
Latest Gadgets
Popular Mobile Brands
#Trending Stories
  1. Raktabeej 2 Arrives on OTT Platforms This November: All You Need to Know
#Latest Stories
  1. Goodbye June OTT Release Date Revealed: When, Where to Watch Kate Winslet, Helen Mirren-Starrer Online
  2. Raktabeej 2 Arrives on OTT Platforms This November: All You Need to Know About this Action-Thriller
  3. Usurae Now Streaming on OTT: Plot, Cast, and Everything Else About This Tamil-Language Romantic Drama
  4. Supernova’s First Moments Show Olive-Shaped Blast in Groundbreaking Observations
  5. Intense Solar Storm With Huge CMEs Forced Astronauts to Take Shelter on the ISS
  6. Nearby Super-Earth GJ 251 c Could Help Learn About Worlds That Once Supported Life, Astronomers Say
  7. James Webb Telescope May Have Spotted First Generation of Stars in the Universe
  8. Coming-of-Age Web Series CO-ED to Stream on OTT Soon: Know When, Where to Watch Online
  9. Leonardo DiCaprio’s One Battle After Another Now Available for Rent on Prime Video: All You Need to Know
  10. Ajay Devgn's De De Pyaar De 2 OTT Debut Timeline Tipped: All You Need to Know
Gadgets 360 is available in
Follow Us
Download Our Apps
App Store App Store
Available in Hindi
App Store
© Copyright Red Pixels Ventures Limited 2025. All rights reserved.
Trending Products »
Latest Tech News »