Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PC maker Lenovo exposes users to "massive security risk"


  • Please log in to reply
7 replies to this topic

#1 JohnC_21

JohnC_21

  • Members
  • 24,016 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:56 PM

Posted 06 May 2015 - 08:42 AM

The problems have been revealed by security firm IOActive – just weeks after Lenovo was found to be shipping PCs with pre-installed ‘Superfish' adware that also left its users open to MITM attacks.

 

IOActive researchers Michael Milvich and Sofiane Talmat say in an advisory that they discovered the latest “high-severity” privilege escalation vulnerabilities in Lenovo's System Update service, which enables users to download the latest drivers and other software, including security patches, from Lenovo's website.

The researchers found the flaws in February, and have now gone public on them after giving Lenovo time to develop a patch, issued last month.

 

But while the patch fixes the problems, users have to download the security update to protect themselves. Milvich and Talmat say that one of the vulnerabilities, CVE-2015-2233, allows local and remote hackers to bypass the device's signature validation checks and replace trusted Lenovo applications with malware.

 

Another bug, CVE-2015-2219, is a weakness in Lenovo's security token system, which means least-privileged users could gain high-level access to Lenovo PCs, laptops and other devices and run their own malicious commands and programs.

 

Article



BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,664 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:56 PM

Posted 06 May 2015 - 08:58 AM

I'm starting to like Lenovo products less and less now. They have super good products for the price (specs wise), but security and privacy wise, it seems like they have a lot to learn from.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 curlly62

curlly62

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:56 AM

Posted 06 May 2015 - 01:02 PM

I just purchased my first Lenovo computer and was very disappointed that it was so slow and just full of junk that they "preload" on it. These "security updates" that we are supposed to do, is there a link to those?



#4 rp88

rp88

  • Members
  • 3,016 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:56 PM

Posted 06 May 2015 - 01:11 PM

I would guess a user would be safe if they disabled lenovo's bundled driver/system updating program. If they removed it from their startup entries, and disabled (or set to manual start) it's services so it could only run if a user opened it deliberately then I would guess that vulnerabilities in the driver/system updating software couldn't be of risk to users.
Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

#5 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,664 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:56 PM

Posted 06 May 2015 - 01:17 PM

These "security updates" that we are supposed to do, is there a link to those?


Here's the article for it on Lenovo's website.

https://support.lenovo.com/us/en/product_security/lsu_privilege

And here's the URL for the update.

https://support.lenovo.com/us/en/documents/ht080136

Download the one for your Windows version.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#6 curlly62

curlly62

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:56 AM

Posted 06 May 2015 - 01:20 PM

Thank you Aura.....really appreciate the links.



#7 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,664 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:56 PM

Posted 06 May 2015 - 01:24 PM

No problem curlly, my pleasure :)

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,483 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:56 PM

Posted 07 May 2015 - 05:39 AM

As the old saying goes..."You get what you pay for."


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users