PCR Tech and IT retail, distribution and vendor news
Earlier this year it was revealed that Lenovo’s computers were installed with a piece of software called Superfish, leaving many user’s data vulnerable.
Now it seems the company’s update system may also be open to attacks from hackers.
According to security firm IOActive, it has discovered ‘major vulnerabilities’ in Lenovo’s update system, which could allow hackers to replace Lenovo programs with malware.
Hackers may also be able to control commands as well as create a fake certificate authority to sign executables.
SC Magazine reports that the flaws were discovered back in February, and researchers have decided to go public with them now, to give Lenovo enough time to fix the issues, which it has done.
In a statement sent to PCR, Lenovo said: “Lenovo’s development and security teams worked directly with IOActive regarding their System Update vulnerability findings, and we value their expertise in identifying and responsibly reporting them.
"Lenovo released an updated version of System Update on April 1st which resolves these vulnerabilities and subsequently published a security advisory in coordination with IOActive at: https://support.lenovo.com/us/en/product_security/lsu_privilege.
"Existing installations of System Update will prompt the user to automatically install the updated version when the application is run. Alternatively, users may manually update System Update as described in the security advisory. Lenovo recommends that all users update System Update to eliminate the vulnerabilities reported by IOActive.”
This news comes after Lenovo’s computers were found storing a piece of adware called Superfish earlier this year.
Superfish was built into standard PCs, but meant that third parties could get hold of user’s passwords and other data.
