Share this article
Latest news
With KB5043178 to Release Preview Channel, Microsoft advises Windows 11 users to plug in when the battery is low
Copilot in Outlook will generate personalized themes for you to customize the app
Microsoft will raise the price of its 365 Suite to include AI capabilities
Death Stranding Director’s Cut is now Xbox X|S at a huge discount
Outlook will let users create custom account icons so they can tell their accounts apart easier
Researchers find a “massive security risk” on Lenovo devices, patch released
2 min. read
Published onMay 6, 2015
published onMay 6, 2015
Share this article
Read our disclosure page to find out how can you help Windows Report sustain the editorial teamRead more
As the saying goes, fool me once shame on you, fool me twice shame on me. Lenovo is putting that idiom to the test. According toa report by the BBCa “massive security risk” of Lenovo devices has been found by researchers. This news comes only months after the‘superfish’ newsin which preinstalled adware created security issues.
There are a number of security flaws that were uncovered by IOActive. First, according to the researchers attackers could “bypass signature validation checks and replace trusted Lenovo applications with malicious applications.” This would allow people to hack a public Wi-Fi network and “exploit this to swap Lenovo’s executables with a malicious executable.” These are often referred to as “coffee shop attacks.”
Second, people could utilize the security flaw to “gain elevated permissions.” In the report they state that
“A local attacker could exploit this to perform a local privilege escalation by waiting for the System Update to verify the signature of the executable, and then swapping out the executable with a malicious version before the System Update is able to run the executable. When the System Update gets around to running the executable, it will run the malicious version, thinking it was the executable that it had already verified.”
These security flaws stem from the fact that “The Lenovo System Update allows least privileged users to perform system updates.” This means that attackers can act as if they were a privileged user and perform system updates.
There is a bit of good news to all of this. There has been a patch released to fix these reported issues. IOActive discovered reported the issues to Lenovo in February anda patch to fix them was released on April 3, 2015.
This is another blow to the integrity and security of Lenovo. It will be interesting to see how repeated security risks affect their bottom line.
Radu Tyrsina
Radu Tyrsina has been a Windows fan ever since he got his first PC, a Pentium III (a monster at that time).
For most of the kids of his age, the Internet was an amazing way to play and communicate with others, but he was deeply impressed by the flow of information and how easily you can find anything on the web.
Prior to founding Windows Report, this particular curiosity about digital content enabled him to grow a number of sites that helped hundreds of millions reach faster the answer they’re looking for.
User forum
0 messages
Sort by:LatestOldestMost Votes
Comment*
Name*
Email*
Commenting as.Not you?
Save information for future comments
Comment
Δ
Radu Tyrsina
