Chinese PC maker Lenovo has been again criticised by cyber security experts for leaving major vulnerabilities in its computers. Experts at security firm IOActive has discovered vulnerabilities in its system update. In February, Lenovo was accused of pre-installing a virus-like software on laptops that made its computers more vulnerable to hacking.
According to IOActive Labs, Lenovo System Update 5.6.0.27 and earlier versions are vulnerable. It allows local least-privileged users to run commands as the SYSTEM user.Also, Local and potentially remote attackers can bypass signature validation checks and replace trusted Lenovo applications with malicious applications.
In reply, Lenovo in a statement said, “Lenovo’s development and security teams worked directly with IOActive regarding their Lenovo System Update vulnerability findings, and we value their expertise in identifying and responsibly reporting them. Lenovo released an updated version of Lenovo System Update on April 1st, which resolves these vulnerabilities.”
The vulnerability may have impacted these device: All ThinkPad, ThinkCentre, ThinkStation products along with Lenovo V/B/K/E Series.
Lenovo has recommended all its users to update System Update to eliminate the vulnerabilities. “Existing installations of Lenovo System Update will prompt the user to automatically install the updated version of the program when the application is run. Alternatively, users may manually update System Update as described in the security advisory,” according to the statement.
