Lenovo Users Warned of 'System Update Flaw'

John Lister's picture

Lenovo computer users have been warned to immediately check that they have installed a security patch to plug a significant risk of malware. Ironically, the risk is related to the way that Lenovo's automated software update system is updated.

Independent security researchers discovered a flaw in the protection that is meant to ensure that Lenovo computers only automatically download and install genuine updates. The flaw means that a hacker can remotely install malicious software on a Lenovo computer simply by being on the same unsecured wireless network.

Within the security community, this type of security flaw is known informally as a "coffee shop attack," because it can be done if the victim is using public WiFi that doesn't need a password. Because the computer mistakenly believes the hacker's software to be a genuine update, it installs and runs it in "privileged user" mode, which greatly increases the potential for the software to do damage or access confidential data.

Lenovo System Update Flaw Discovered Three Months Ago

The security firm that found the problem, IOActive, told Lenovo about the system update flaw in February and kept quiet to allow it time to find a fix. Surprisingly, the fix was made available on April 14 this year, but neither company appears to have made a public announcement until now.

The problem affects users of the ThinkPad, ThinkCenter and ThinkStation ranges, plus the B, E, K and V series of Lenovo PCs. That said, users should get an on-screen message asking them to install the security patch in the coming days. Alternatively, they can use a direct link on Lenovo's support site. (Source: lenovo.com)

Given the circumstances of the vulnerability, it's a good idea to make sure to install the security patch only on a secure network: that is, one which requires a password to access over WiFi.

Lenovo Slammed For Basic Error

The security community has reacted extremely negatively to the news, with many analysts criticizing Lenovo for what they consider a very basic failure in maintaining security, particularly given the reliance many users place on automated updates. (Source: bbc.co.uk)

It follows a major controversy earlier this year when it was discovered that Lenovo shipped PCs with spyware designed to track user activity, which then prompted a class action lawsuit.

What's Your Opinion?

Are you a Lenovo user? Do incidents like this affect your likelihood to buy the brand in future? Would this event make you more wary about connecting to unsecured WiFi?

Rate this article: 
Average: 4.6 (7 votes)

Comments

Head4Heights's picture

I ordered a ThinkPad a while after the story about the crapware they load had broken and entertained a hope that it might arrive cleaner, if not clean. Nope. I wasted a day of my life clearing the most objectionable junk off the PC, my final tally was 20 bits of malware. Would I buy Lenovo again? Doubtful.