TORONTO – Just three months after coming under fire for pre-installing dangerous adware onto its computers, the world’s largest PC maker is once again being accused of having poor security measures.
Researchers at IOActive Security have discovered serious vulnerabilities in Lenovo’s System Update software that could allow a hacker to install malware on a user’s computer.
According to researchers, one of the vulnerabilities would allow hackers to bypass the computer’s signature validation checks and replace legitimate Lenovo programs with malicious ones. This may have exposed Lenovo users to attacks over public Wi-Fi, allowing hackers to hijack the connection in a man-in-the-middle style attack.
Ironically, the Lenovo System Update software is what allows users to download the latest drivers and software updates for their computers – including security patches.
In a statement posted to its website, Lenovo acknowledged the findings and urged users to download a patch to fix the vulnerabilities.
“Lenovo’s development and security teams worked directly with IOActive regarding their Lenovo System Update vulnerability findings, and we value their expertise in identifying and responsibly reporting them,” read the statement.
“Lenovo recommends that all users update System Update to eliminate the vulnerabilities reported by IOActive.”
The PC maker said all ThinkPad, ThinkCentre, ThinkStation and Lenovo V/B/K/E Series model computers are affected by the security flaws.
Users with affected devices should be automatically prompted to install the updated version of Lenovo System Update. Directions to manually update the software can be found on Lenovo’s website.
Poor security record
This is the second security blunder to strike Lenovo this year.
In February, the company came under fire for pre-installing potentially malicious adware called “Superfish” on some consumer laptops.
Superfish is designed to provide users with a “visual search” experience by showing users third-party ads in Google search results. This type of software is often called adware thanks to its ability to automatically display ads.
But, according to security experts, Superfish intercepts encrypted connections leaving them open – allowing hackers use man-in-the-middle style attacks to steal users’ personal data or install malware.
Lenovo was widely criticized for its handling of the issue and weeks later was hit with a proposed class action lawsuit for “fraudulent business practices.”
The ‘common thread’
This latest security problem is causing security experts to become weary of Lenovo.
“The common thread in all of these vulnerabilities is that Lenovo decided to add software on top of Windows, and in the process managed to undermine the security of the entire Windows environment,” Matthew Green, cryptography and research professor at Johns Hopkins University, told Global News.
“The main surprise here is Lenovo’s lack of attention to security detail. These are not deep, complex issues that would only have been caught by a detailed code review. It’s pretty disturbing that these issues are present in software that’s shipped to millions of users.”
Thanks to these vulnerabilities Lenovo earned itself a poor reputation when it comes to security – which is something hackers are likely to take advantage of.
Global News contacted Lenovo for further comment on this latest security blunder; however, a spokesperson referred back to the statement posted to the company’s website.