Earlier this year, it came to light that Lenovo's laptops came installed with software called Superfish that could leave user data vulnerable. Now, researchers have found that Lenovo's update system is flawed — and could allow criminals to run commands remotely on the hardware.
A team at IOActive has discovered vulnerabilities in Lenovo's System Update service which could be used by hackers to create fake certificate for executable files. In turn, that means hackers could remotely provide trusted updates to the system that are actually malware. Elsewhere, another issue with Lenovo's security system means that even basic user profiles can be easily switched up to gain high-level access to the PC, allowing them to run whatever commands and programs they like. "Arbitrarily executing commands sent by a malicious unprivileged user represents a massive security risk," the researchers say to SC Magazine.
The vulnerabilities were actually discovered back in February, and the team IOActive only just went public in order to give the firm a chance to build and release a patch for the issues. They did, just last month — but if you use Lenovo hardware with System Update 220.127.116.11 or earlier installed, then you need to update as soon as you can. The researchers warn that it's sensible to download those software updates on a secure network that you trust. [IOActive via SC Magazine via The Verge]