Lenovo makes new critical security mistakes

After the Superfish debacle earlier this year, Lenovo’s security practices have once again been found lacking as researchers have discovered several vulnerabilities in the company’s System Update software.

All of them affect versions 5.6.0.27 and earlier of the software, and among them is one critical one that can be used by local and potentially remote attackers to replace trusted Lenovo applications with malicious ones.

“As a security measure Lenovo signs its executables and checks the signature before running them, but unfortunately does not completely verify them. When performing the signature validation, Lenovo failed to properly validate the CA (certificate authority) chain,” they explained.

“As a result, an attacker can create a fake CA and use it to create a code-signing certificate, which can then be used to sign executables. Since the System Update failed to properly validate the CA, the System Update will accept the executables signed by the fake certificate and execute them as a privileged user.”

For more technical details about each of the vulnerabilities you can consult this security advisory.

The researchers found the flaws in February, and alerted the company. Lenovo’s development and security teams worked with IOActive researchers to plug the holes, and have done so in early April, by issuing a newer version of the software.

Users are urged to implement the update either via System Update or manually (more information here).

The products potentially affected by these vulnerabilities are all ThinkPad, ThinkCentre, and ThinkStation laptops and tablets, as well as those from Lenovo’s V/B/K/E Series of computers.