Lenovo it is again and this time hitting users in the form of Lenovo System update (previously known as ThinkVantage System Update). Reported by security consultancy IOActive, a Lenovo PC owner is exposed to malware attacks from remote hackers, while running a Lenovo System update. Though users would see the Lenovo system update as an activity to download the latest drivers, softwares and security patches from Lenovo’s website, hackers could use the vulnerability present in Lenovo’s system to create a channel that allows them to communicate and execute commands on user’s PC without their permission.
Earlier in the year also, some Lenovo machines were found to be shipped with an Adware called as Superfish. The adware Superfish was found to be tracking user’s personal information and then based on the searches injected third-party ads into their Google searches without their permission.
The risks of running Lenovo System update
Michael Milvich and Sofiane Talmat from IOActive discovered the vulnerability in Lenovo System Update version 22.214.171.124 and earlier, in Feb 2015. Mentioning the severity of the vulnerability as critical, they mentioned,
“The System Update service (SUService.exe). creates a named pipe through which the unprivileged user can send commands to the service. When the unprivileged System Update needs to execute a program with higher privileges, it writes the command to the named pipe, and the SUService.exe reads the command and executes it. Arbitrarily executing commands sent by a malicious unprivileged user represents a massive security risk”.
Though it would unfair to say that Lenovo’s system does not have any security check up to prevent unauthorized access as it does attempt to restrict access to the System Update Service by requiring clients to authenticate a security token. However, the security token is a predictable one that can be generated by the attackers easily without requiring any elevated permissions.
Responding to IOActive Security Advisory discovery, Lenovo released a fix last month that replaces the token authentication method, and is available through the System Update.
You can get the update from here.