Lenovo suffers another security blow
IOActive uncovers fresh flaw on Lenovo laptops
First there was Superfish, and now another serious security flaw has been found on Lenovo laptops - though this one doesn't yet have a catchy name.
Earlier this year, researchers revealed Lenovo laptops and desktops were shipping with the so-called Superfish adware preinstalled, leaving users open to man-in-the-middle attacks.
Now, experts from IOActive have revealed another flaw in machines from the world's biggest PC maker, issuing an advisory about Lenovo's System Update system.
Researchers Michael Milvich and Sofiane Talmat revealed a series of vulnerabilities that could let hackers take over a PC via the System Update service, which installs drivers or software updates.
"Lenovo does attempt to restrict access to the System Update Service by requiring clients of the named pipe to authenticate by including a security token with the command the unprivileged user wishes to execute," the advisory reads.
"Unfortunately this token is a predictable token and can be generated by any user without requiring any elevated permissions. As a result, an attacker who is unprivileged can perform the same operations as the System Update."
They also found flaws in how Lenovo's System Update validates signatures, meaning attackers could create a fake certificate authority that would be accepted by the system.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
Another issue surfaced in how it saves executable files, making it possible for hackers to swap out malicious ones between the time when the signature is verified and the executable file is run.
"As a result of saving the executables in a writeable directory, Lenovo created a race condition between verifying the signature and executing the saved executable," the advisory reads.
"A local attacker could exploit this to perform a local privilege escalation by waiting for the System Update to verify the signature of the executable, and then swapping out the executable with a malicious version before the System Update is able to run the executable."
The researchers originally found the trio of flaws in February, only revealing it now because Lenovo has started patching computers.
In a statement, Lenovo said: "Lenovo's development and security teams worked directly with IOActive regarding their System Update vulnerability findings, and we value their expertise in identifying and responsibly reporting them." It added that users with automatic updates will already have the patches on their system, while others can manually update to get the patch. "Lenovo recommends that all users update System Update to eliminate the vulnerabilities reported by IOActive."