Lenovo again found risking users to massive security breach
Lenovo it is again and this time hitting users in the form of Lenovo System update (previously known as ThinkVantage System Update). Reported by security consultancy IOActive, a Lenovo PC owner is exposed to malware attacks from remote hackers, while running a Lenovo System update. Though users would see the Lenovo system update as an activity to download the latest drivers, softwares and security patches from Lenovo’s website, hackers could use the vulnerability present in Lenovo’s system to create a channel that allows them to communicate and execute commands on user’s PC without their permission.
Earlier in the year also, some Lenovo machines were found to be shipped with an Adware called as Superfish. The adware Superfish was found to be tracking user’s personal information and then based on the searches injected third-party ads into their Google searches without their permission.
The risks of running Lenovo System update
Michael Milvich and Sofiane Talmat from IOActive discovered the vulnerability in Lenovo System Update version 22.214.171.124 and earlier, in Feb 2015. Mentioning the severity of the vulnerability as critical, they mentioned,
“The System Update service (SUService.exe). creates a named pipe through which the unprivileged user can send commands to the service. When the unprivileged System Update needs to execute a program with higher privileges, it writes the command to the named pipe, and the SUService.exe reads the command and executes it. Arbitrarily executing commands sent by a malicious unprivileged user represents a massive security risk”.
Though it would unfair to say that Lenovo’s system does not have any security check up to prevent unauthorized access as it does attempt to restrict access to the System Update Service by requiring clients to authenticate a security token. However, the security token is a predictable one that can be generated by the attackers easily without requiring any elevated permissions.
Responding to IOActive Security Advisory discovery, Lenovo released a fix last month that replaces the token authentication method, and is available through the System Update.
Ankit Gupta is a writer by profession and has more than 7 years of global writing experience on technology and other areas. He follows technological developments and likes to write about Windows & IT security. He has a deep liking for wild life and has written a book on Top Tiger Parks of India.