Huge security flaw found in Lenovo laptops and computers

Posted May 6, 2015 by James Walker
Just months after Lenovo was found to be installing adware on its computers, it has now been revealed that the company has left "massive security risks" in its own software supplied with its machines leaving users vulnerable to attack and exploit.
Advertising for Chinese technology giant Lenovo  seen in Hong Kong  on February 4  2014
Advertising for Chinese technology giant Lenovo, seen in Hong Kong, on February 4, 2014
Alex Ogle, AFP/File
Utilising the classic "coffee shop attack," the issue was found inside the Lenovo update software used to download new versions of Lenovo programs. The updater did not bother to confirm that the files it downloaded were what they claimed to be, leaving the download open to hijacking.
In a public network such as those provided by coffee shops, attackers could hijack the connection and exploit the Lenovo software to download their own files. As the software did not validate the signature of the file that it was downloading, the malicious programs could easily be downloaded, installed and run in an elevated privilege mode instead.
The BBC says that two other flaws would have allowed attackers to gain control over an affected computer and give them the ability to run malicious commands on it, raising the prospect of remote hijacking of systems.
The news is likely to anger, annoy and worry users of Lenovo laptops. After having been told just a couple of months ago that the Superfish software included by the company was adware, now the manufacturer has left its users open to malware.
Lenovo has traditionally had a very strong image in the computer market, particularly among business users. Because of this, many Lenovo laptops are likely to contain important and sensitive data which attackers could have gained access to. Two issues within two months may worry IT departments at large companies who have previously relied on Lenovo and its positive feedback.
The discovery was made by researchers at security firm IOActive in February. Before announcing it publicly today, they notified Lenovo who released an update to patch the issues last month. Unfortunately, the updates will not be installed automatically and instead users will have to confirm a prompt. If you own a Lenovo computer, it is recommended that you update the "System Update" software as soon as you can.
Lenovo (United States) Inc. | FindTheCompany