(Thanks to Rich Pieri for sharing this news.)
Months after Lenovo was found to have installed dangerous software onto its computers, major vulnerabilities were found in Lenovo’s update system, that could allow hackers to bypass validation checks, replace legitimate Lenovo programs with malicious software and run commands from afar.
What are the vulnerabilities?
1. Lenovo’s System Update software runs a service as SYSTEM and allows unprivileged processes to send it arbitrary commands to execute.
2. Lenovo’s System Update software does not correctly validate CAs of signed updates allowing for the installation of “updates” signed with fake certificates.
3. Lenovo’s System Update software downloads updates to a world writable directory creating a race condition between signature verification and running the saved executable.
The company issued a patch last month that fixes the bugs but owners will need to download the update themselves.
Filed under: Security in the News, Software Bugs Tagged: Lenovo, system update, vulnerability