Three months after Lenovo was called out for installing dangerous software onto its computers, the world's largest PC manufacturer has once again been accused of lax security measures.
Security firm IOActive reports that it discovered major vulnerabilities in Lenovo's update system that could allow hackers to bypass validation checks, replace legitimate Lenovo programs with malicious software, and run commands from afar.
Through one of the vulnerabilities, IOActive researchers explained that attackers could create a fake certificate authority to sign executables, allowing malicious software to masquerade as official Lenovo software. Should a Lenovo owner update their machine in a coffee shop, another individual could conceivably use the security hole to swap Lenovo's programs with their own — what the researchers call the "classic coffee shop attack." The security hole, along with others described by IOActive, are present in Lenovo System Update 126.96.36.199 and earlier versions.
Lenovo, the largest PC manufacturer in world, was accused of fatally compromising user security by installing an adware application on all its Windows computers as they leave the factory. The vulnerabilities, which were discovered by the security specialists in February, were brought to Lenovo's attention at the time in order to allow the Chinese firm to develop a fix. Back in February, Superfish caused a major fracas as it turned out to be preinstalled adware that stole private information from Lenovo’s Windows laptops – and while the PC vendor initially denied the software was anything malicious, it quickly backtracked and ditched the program.
The company issued a patch last month that removes the bugs, but owners of Lenovo machines will need to download the security update themselves in order to avoid having their computers compromised by what IOActive calls a "massive security risk." Lenovo may have reacted quickly to the problems, but as the world's number one PC manufacturer tries to grow even bigger, it's yet another embarrassing security hole in its software.