Three flaws put Lenovo PCs at risk of being hacked

Users of Lenovo PCs are at risk of being hacked after of a trio of vulnerabilities were found by researchers at the security vendor IOActive.

Taken together, the flaws allow hackers to infiltrate victims’ machines through public wireless networks and gain privileges over a system to run malicious commands, potentially installing malware.

A security advisory from IOActive said: "Arbitrarily executing commands sent by a malicious unprivileged user represents a massive security risk."

"Lenovo does attempt to restrict access to the System Update Service by requiring clients of the named pipe [which allows less privileged users access to System Update] to authenticate by including a security token with the command the unprivileged user wishes to execute.

"Unfortunately this token is a predictable token and can be generated by any user without requiring any elevated permissions."

Whilst Lenovo fixed the flaw in April it emerged that it had known about the problem since at least February, around the same time that the company was accused of bundling the adware Superfish with its computers.

Among the products affected this time are the ThinkPad, ThinkCentre and ThinkStation, as well as the Lenovo V/B/K/E Series.
Customers who wish to patch the problem should run System Update, which will prompt them to install the latest version.

Sign up for our weekly news round-up!

Sign up to the newsletter: In Brief

Sign up for our regular news round-up!

Sign up for our weekly news round-up!

Sign up to the newsletter: In Brief

I would also like to subscribe to:

Thank you for subscribing