Three months after Lenovo was called out for installing dangerous software onto its computers, the world's largest PC manufacturer has once again been accused of lax security measures. Security firm IOActive reports that it discovered major vulnerabilities in Lenovo's update system that could allow hackers to bypass validation checks, replace legitimate Lenovo programs with malicious software, and run commands from afar.
The vulnerabilities were found in February
Through one of the vulnerabilities, IOActive researchers explained that attackers could create a fake certificate authority to sign executables, allowing malicious software to masquerade as official Lenovo software. Should a Lenovo owner update their machine in a coffee shop, another individual could conceivably use the security hole to swap Lenovo's programs with their own — what the researchers call the "classic coffee shop attack." The security hole, along with others described by IOActive, are present in Lenovo System Update 18.104.22.168 and earlier versions.
The vulnerabilities, which were first discovered by the security specialists back in February, were brought to Lenovo's attention at the time in order to allow the Chinese firm to develop a fix. "Lenovo’s development and security teams worked directly with IOActive regarding their Lenovo System Update vulnerability findings," Lenovo said in a statement, "and we value their expertise in identifying and responsibly reporting them."
The company issued a patch last month that removes the bugs, but owners of Lenovo machines will need to download the security update themselves in order to avoid having their computers compromised by what IOActive calls a "massive security risk." Lenovo may have reacted quickly to the problems, but as the world's number one PC manufacturer tries to grow even bigger, it's yet another embarrassing security hole in its software.
Update May 6th 10:37AM ET: The piece has been updated with Lenovo's statement.