Three major security flaws found in Lenovo PCs

Just three months after Lenovo’s embarrassing Superfish debacle, the PC major has once again been accused of lax security measures. Security firm IOActive has discovered three vulnerabilities in Lenovo’s System Update file that could allow hackers to bypass validation checks, replace legitimate Lenovo programmes with malicious software, and run commands as an administrative user.

Through one of the vulnerabilities – CVE-2015-2233, the researchers explained that attackers can bypass signature validation checks and replace trusted Lenovo applications with malicious apps.

“These applications will then be run as a privileged user. The System Update downloads executables from the Internet and runs them. Remote attackers who can perform a man in the middle attack (the classic coffee shop attack) can exploit this to swap Lenovo’s executables with a malicious executable. The System Update uses TLS/SSL to secure its communications with the update server, which should protect against “coffee shop” style attacks,” IOActive researchers Michael Milvich and Sofiane Talmat explained in a detailed advisory.

Another flaw, CVE-2015-2219, is a weakness in Lenovo’s security token system which means “least-privileged users could gain high-level access to Lenovo PCs, laptops and other devices and run their own malicious commands and programmes.”

While the third vulnerability, CVE-2015-2234, allows local unprivileged users run commands as an administrator.

The security holes are present in Lenovo System Update 5.6.0.27 and earlier versions.

Researchers, however, confirmed that Lenovo has patched the issues. The patch was released in April, but the researchers’ findings were made public this week. Lenovo has issued the patch but Lenovo machine owners will need to download the security update.