Three months after Lenovo was called out for installing dangerous software
onto its computers, the world's largest PC manufacturer has once again
been accused of lax security measures.
Security firm IOActive reports that
it discovered major vulnerabilities in Lenovo's update system that
could allow hackers to bypass validation checks, replace legitimate
Lenovo programs with malicious software, and run commands from afar.The vulnerabilities were found in February
Through one of the vulnerabilities, IOActive researchers explained
that attackers could create a fake certificate authority to sign
executables, allowing malicious software to masquerade as official
Lenovo software. Should a Lenovo owner update their machine in a coffee
shop, another individual could conceivably use the security hole to swap
Lenovo's programs with their own — what the researchers call the "classic coffee shop attack." The security hole, along with others described by IOActive, are present in Lenovo System Update 5.6.0.27 and earlier versions.
The vulnerabilities, which were first discovered by the security
specialists back in February, were brought to Lenovo's attention at the
time in order to allow the Chinese firm to develop a fix. The company
issued a patch last month that removes the bugs, but owners of Lenovo
machines will need to download the security update themselves in order
to avoid having their computers compromised by what IOActive calls a
"massive security risk." Lenovo may have reacted quickly to the
problems, but as the world's number one PC manufacturer tries to grow
even bigger, it's yet another embarrassing security hole in its software.
Source:
www.theverge.com
No comments:
Post a Comment