The problems have been revealed by security firm IOActive – just weeks after Lenovo was found to be shipping PCs with pre-installed ‘Superfish' adware that also left its users open to MITM attacks.
IOActive researchers Michael Milvich and Sofiane Talmat say in an advisory that they discovered the latest “high-severity” privilege escalation vulnerabilities in Lenovo's System Update service, which enables users to download the latest drivers and other software, including security patches, from Lenovo's website.
The researchers found the flaws in February, and have now gone public on them after giving Lenovo time to develop a patch, issued last month.
But while the patch fixes the problems, users have to download the security update to protect themselves. Milvich and Talmat say that one of the vulnerabilities, CVE-2015-2233, allows local and remote hackers to bypass the device's signature validation checks and replace trusted Lenovo applications with malware.
Another bug, CVE-2015-2219, is a weakness in Lenovo's security token system, which means least-privileged users could gain high-level access to Lenovo PCs, laptops and other devices and run their own malicious commands and programs.