Security researchers find another ‘massive security risk’ in Lenovo PCs

Researchers at IOActive Security have discovered serious vulnerabilities in Lenovo’s System Update software that could allow a hacker to install malware on a user’s computer. PHILIPPE LOPEZ/AFP/Getty Images

TORONTO – Just three months after coming under fire for pre-installing dangerous adware onto its computers, the world’s largest PC maker is once again being accused of having poor security measures.

Researchers at IOActive Security have discovered serious vulnerabilities in Lenovo’s System Update software that could allow a hacker to install malware on a user’s computer.

According to researchers, one of the vulnerabilities would allow hackers to bypass the computer’s signature validation checks and replace legitimate Lenovo programs with malicious ones. This may have exposed Lenovo users to attacks over public Wi-Fi, allowing hackers to hijack the connection in a man-in-the-middle style attack.

Ironically, the Lenovo System Update software is what allows users to download the latest drivers and software updates for their computers – including security patches.

READ MORE: Lenovo under fire for pre-installing ‘malicious’ adware on laptops

In a statement posted to its website, Lenovo acknowledged the findings and urged users to download a patch to fix the vulnerabilities.

Story continues below advertisement

“Lenovo’s development and security teams worked directly with IOActive regarding their Lenovo System Update vulnerability findings, and we value their expertise in identifying and responsibly reporting them,” read the statement.

“Lenovo recommends that all users update System Update to eliminate the vulnerabilities reported by IOActive.”

Breaking news from Canada and around the world sent to your email, as it happens.

The PC maker said all ThinkPad, ThinkCentre, ThinkStation and Lenovo V/B/K/E Series model computers are affected by the security flaws.

Users with affected devices should be automatically prompted to install the updated version of Lenovo System Update. Directions to manually update the software can be found on Lenovo’s website.

Poor security record

This is the second security blunder to strike Lenovo this year.

In February, the company came under fire for pre-installing potentially malicious adware called “Superfish” on some consumer laptops.

Superfish is designed to provide users with a “visual search” experience by showing users third-party ads in Google search results. This type of software is often called adware thanks to its ability to automatically display ads.

But, according to security experts, Superfish intercepts encrypted connections leaving them open – allowing hackers use man-in-the-middle style attacks to steal users’ personal data or install malware.

Story continues below advertisement

READ MORE: Lenovo acknowledges Superfish security concerns; offers tool to remove software

Lenovo was widely criticized for its handling of the issue and weeks later was hit with a proposed class action lawsuit for “fraudulent business practices.”

The ‘common thread’

This latest security problem is causing security experts to become weary of Lenovo.

“The common thread in all of these vulnerabilities is that Lenovo decided to add software on top of Windows, and in the process managed to undermine the security of the entire Windows environment,” Matthew Green, cryptography and research professor at Johns Hopkins University, told Global News.

“The main surprise here is Lenovo’s lack of attention to security detail. These are not deep, complex issues that would only have been caught by a detailed code review. It’s pretty disturbing that these issues are present in software that’s shipped to millions of users.”

Thanks to these vulnerabilities Lenovo earned itself a poor reputation when it comes to security – which is something hackers are likely to take advantage of.

“I think this news shows that security researchers already think [Lenovo is a target] — they’re targeting Lenovo as a source of low-hanging fruit. I imagine that criminals are probably doing the same thing,” Green added.
Story continues below advertisement

Global News contacted Lenovo for further comment on this latest security blunder; however, a spokesperson referred back to the statement posted to the company’s website.

Sponsored content