Lenovo Users Warned of 'System Update Flaw'
Lenovo computer users have been warned to immediately check that they have installed a security patch to plug a significant risk of malware. Ironically, the risk is related to the way that Lenovo's automated software update system is updated.
Independent security researchers discovered a flaw in the protection that is meant to ensure that Lenovo computers only automatically download and install genuine updates. The flaw means that a hacker can remotely install malicious software on a Lenovo computer simply by being on the same unsecured wireless network.
Within the security community, this type of security flaw is known informally as a "coffee shop attack," because it can be done if the victim is using public WiFi that doesn't need a password. Because the computer mistakenly believes the hacker's software to be a genuine update, it installs and runs it in "privileged user" mode, which greatly increases the potential for the software to do damage or access confidential data.
Lenovo System Update Flaw Discovered Three Months Ago
The security firm that found the problem, IOActive, told Lenovo about the system update flaw in February and kept quiet to allow it time to find a fix. Surprisingly, the fix was made available on April 14 this year, but neither company appears to have made a public announcement until now.
The problem affects users of the ThinkPad, ThinkCenter and ThinkStation ranges, plus the B, E, K and V series of Lenovo PCs. That said, users should get an on-screen message asking them to install the security patch in the coming days. Alternatively, they can use a direct link on Lenovo's support site. (Source: lenovo.com)
Given the circumstances of the vulnerability, it's a good idea to make sure to install the security patch only on a secure network: that is, one which requires a password to access over WiFi.
Lenovo Slammed For Basic Error
The security community has reacted extremely negatively to the news, with many analysts criticizing Lenovo for what they consider a very basic failure in maintaining security, particularly given the reliance many users place on automated updates. (Source: bbc.co.uk)
It follows a major controversy earlier this year when it was discovered that Lenovo shipped PCs with spyware designed to track user activity, which then prompted a class action lawsuit.
What's Your Opinion?
Are you a Lenovo user? Do incidents like this affect your likelihood to buy the brand in future? Would this event make you more wary about connecting to unsecured WiFi?
My name is Dennis Faas and I am a senior systems administrator and IT technical analyst specializing in cyber crimes (sextortion / blackmail / tech support scams) with over 30 years experience; I also run this website! If you need technical assistance , I can help. Click here to email me now; optionally, you can review my resume here. You can also read how I can fix your computer over the Internet (also includes user reviews).
We are BBB Accredited
We are BBB accredited (A+ rating), celebrating 21 years of excellence! Click to view our rating on the BBB.
Comments
Lessons not being learned
I ordered a ThinkPad a while after the story about the crapware they load had broken and entertained a hope that it might arrive cleaner, if not clean. Nope. I wasted a day of my life clearing the most objectionable junk off the PC, my final tally was 20 bits of malware. Would I buy Lenovo again? Doubtful.