Earning a high severity level from Lenovo’s own security advisory, anyone currently using a select number of the company’s Thinkpad, ThinkStation, and Thinkcentre systems should know that there’s an important vulnerability that needs to be fixed.
That’s because hidden within Lenovo’s Fingerprint Manager Pro software, there’s a flaw on machines running Windows 7, 8, and 8.1 that could potentially let a hacker log in to your computer using a hardcoded password, bypassing the fingerprint scanner, and even decrypt your current Windows credentials. According to Lenovo “A vulnerability has been identified in Lenovo Fingerprint Manager Pro.Read more
Users who purchased a Lenovo PC between September 2014 and January 2015 got an extra special surprise in the form of adware that left them wide open to malicious attacks. After two and a half years of legal wrangling, the Federal Trade Commission settled its lawsuit against the company, and it’s hard to imagine that executives learned their lesson.
On Monday, the FTC announced that Lenovo will have to inform its customers of all the software that comes pre-loaded on its products and receive the user’s consent. The company will also be subject to 20 years of audited security checks.Read more
Lenovo has fixed two high-severity vulnerabilities in the Lenovo Solution Center support tool that is preinstalled on many laptop and desktop PCs. The flaws could allow attackers to take over computers and terminate antivirus processes.
Lenovo Solution Center allows users to check their system's virus and firewall status, update their Lenovo software, perform backups, check battery health, get registration and warranty information and run hardware tests. Privilege escalation flaws like this one cannot be used by themselves to compromise computers, but are often used in exploit chains.Read more
Lenovo has urged users to uninstall bloatware bundled on Windows 10 devices by the company after critical security holes were discovered.
The Chinese PC maker said in a security advisory a vulnerability within the company's Lenovo Accelerator Application software is a "high severity" problem which could give attackers the avenue to launch man-in-the-middle attacks against users. MITM attacks occur when a vulnerable machine has been infected with malware which contains surveillance capabilities or a vulnerable web browser is communicating with an insecure server. This type of attack may not show visible signs.Read more
A security researcher has discovered a number of vulnerabilities in Lenovo’s SHAREit app, the worst being the use of “12345678” as a hard-coded, default password. The problems have been patched in the software’s latest release.
SHAREit is an app found on many of Lenovo’s products to allow users to share files across devices. Some ThinkPad, and IdeaPad computers, along with Lenovo smartphones, were impacted by the bug. Core Security found four vulnerabilities in the app but the password issues stick out the most. In one of its advisories, Core Security found that when the app is receiving files, it sets a password on a Wi-Fi hotspot.Read more
A trifecta of vulnerabilities has been found in software preinstalled on a number of Dell, Toshiba, and Lenovo consumer and enterprise PCs and tablets, affecting millions of users.
A proof-of-concept that was posted online could allow an attacker to run malware at the system level, regardless of what kind of user is logged in. A user can be tricked into opening a specially-crafted web page, either as a drive-by download or through an email attachment, which could allow an attacker to exploit the flaw. The security researcher confirmed that he did not inform Dell, Toshiba, and Lenovo of the flaws before the the proof-of-concept code was posted online.Read more
Lenovo seems to be testing the boundaries of trust. First came the Superfish scandal where they were found to be pre-loading ad software that was so poorly implemented that it left victims/customers vulnerable to serious security flaws.
Then, Lenovo software was discovered on a fresh install of the retail edition of Windows. Lenovo had been modifying the BIOS, to insure that, no matter what a customer did, their software got installed. And, this was software referred to as "crapware". That the software was buggy, just made a bad situation worse. In the end, Lenovo updated the BIOS not to muck around with the installed copy of Windows.Read more
A recently uncovered feature – which had been swept under the rug – allowed new Lenovo laptops to use new Windows features to install the company’s software and tools even if the computer was wiped.
The users discovered the issue in May when using a new Lenovo laptop that automatically and covertly overwrote a system file on every boot, which downloaded a Lenovo updater and installed software automatically, even if Windows was reinstalled from a DVD. The only problem is that nobody actually asked for this software, and it persisted between clean installs of Windows. Lenovo was essentially exploiting a rootkit on its own laptops to ensure its software persists if wiped.Read more
Three months after Lenovo was called out for installing dangerous software onto its computers, the world's largest PC manufacturer has once again been accused of lax security measures.
Security firm reports that it discovered major vulnerabilities in Lenovo's update system that could allow hackers to bypass validation checks, replace legitimate Lenovo programs with malicious software, and run commands from afar. Through one of the vulnerabilities, IOActive researchers explained that attackers could create a fake certificate authority to sign executables, allowing malicious software to masquerade as official Lenovo software.Read more
Lenovo, the largest PC manufacturer in world, admitted to pre-loading the Superfish adware on some consumer PCs. Lenovo has been accused of fatally compromising user security by installing an adware application on all its Windows computers as they leave the factory.
Unhappy customers are now dragging the company to court on the matter. A proposed class-action suit was filed late last week against Lenovo and Superfish, which charges both companies with “fraudulent” business practices and of making Lenovo PCs vulnerable to malware and malicious attacks by pre-loading the adware. The lawsuit was filed after Lenovo admitted to pre-loading Superfish.Read more