The IOActive researchers reported that Lenovo devices software has serious security flaws and vulnerabilities that can be easily exploited by cyber criminals for installing malware.
Globally active Chinese PC manufacturer Lenovo has been accused by researchers for running a “massive security risk” when experts identified exploitable flaws in its software.
Reportedly, security Firm IOActive’s researchers discovered vulnerabilities in Lenovo software and alerted the company in February 2015. However, the findings were made public only recently.
Lenovo accused of ‘massive security risk’ by researchers
Researchers believe that three vulnerabilities can be easily exploited by cyber criminals for installing malware on user’s PC and thus, the flaw can provide attackers with full control of the system.
The findings were not just acknowledged by Lenovo, but the manufacturer urged users to download and install a patch, which was released in April, for preventing such risks.
Identified Flaws:
One of the three flaws lets both remote and local attackers to “bypass signature validation checks and replace trusted Lenovo applications with malicious applications”, reported the researchers.
This flaw can potentially expose Lenovo users to the “coffee shop attacks” that lets attacker take over a connection to any public Wi-Fi.
Researchers also stated that the attacker can easily “exploit this to swap Lenovo’s executables with a malicious executable.”
The remaining two flaws allow attackers to acquire a higher level of control over any system that they usually can. This way, they can easily run malicious commands, says Professor Alan Woodward, Surrey University’s security expert.
According to Woodward “Lenovo have been found wanting again on the security front. They seem to be exposing users to potential remote hacking this time. Very disappointing!”
He added that Lenovo was “building a lamentable record for security.”
Lenovo was forced to eliminate hidden “Superfish” adware that was pre-installed on its machines, which compromised users’ security.
As per Lenovo spokesman, its security and development teams has been working with IOActive on the identified vulnerabilities in its system’s update feature.
Read the full finding below:
UPDATE:
Lenovo has released a Security Advisory will guides you about fixing the existing security flaw. Click here to read advisory.
[src src=”via” url=”http://www.ioactive.com/pdfs/Lenovo_System_Update_Multiple_Privilege_Escalations.pdf”]IoActive[/src]
[src src=”source” url=”http://www.bbc.com/news/technology-32607618″]BBC[/src]
