Lenovo again found risking users to massive security breach

Lenovo it is again and this time hitting users in the form of Lenovo System update (previously known as ThinkVantage System Update). Reported by security consultancy IOActive, a Lenovo PC owner is exposed to malware attacks from remote hackers, while running a Lenovo System update. Though users would see the Lenovo system update as an activity to download the latest drivers, softwares and security patches from Lenovo’s website, hackers could use the vulnerability present in Lenovo’s system to create a channel that allows them to communicate and execute commands on user’s PC without their permission.


Earlier in the year also, some Lenovo machines were found to be shipped with an Adware called as Superfish. The adware Superfish was found to be tracking user’s personal information and then based on the searches injected third-party ads into their Google searches without their permission.

The risks of running Lenovo System update

Michael Milvich and Sofiane Talmat from IOActive discovered the vulnerability in Lenovo System Update version and earlier, in Feb 2015. Mentioning the severity of the vulnerability as critical, they mentioned,

“The System Update service (SUService.exe). creates a named pipe through which the unprivileged user can send commands to the service. When the unprivileged System Update needs to execute a program with higher privileges, it writes the command to the named pipe, and the SUService.exe reads the command and executes it. Arbitrarily executing commands sent by a malicious unprivileged user represents a massive security risk”.

Though it would unfair to say that Lenovo’s system does not have any security check up to prevent unauthorized access as it does attempt to restrict access to the System Update Service by requiring clients to authenticate a security token. However, the security token is a predictable one that can be generated by the attackers easily without requiring any elevated permissions.

Responding to IOActive Security Advisory discovery, Lenovo released a fix last month that replaces the token authentication method, and is available through the System Update.

You can get the update from here.

Posted by with Tags
Ankit Gupta is a writer by profession and has more than 7 years of global writing experience on technology and other areas. He follows technological developments and likes to write about Windows & IT security. He has a deep liking for wild life and has written a book on Top Tiger Parks of India.


  1. The Cannabis Files

    Did you see the date of that adviory, April 14 ’15, That is almost a month ago. That’s when this was released to the public. As far as running the TV tool versions and earlier, when you launch it you will be prompted to update the tool to the newer version. This is old news that you are putting out like it’s new. Responsible users keep their systems updated, that goes for the OS, software and tools. Most of the people I know that have Lenovo’s with the TV tool updated it weeks ago when the advisory came out.

  2. Ed

    What? this comes as a surprise?
    People, it doesn’t who you buy your pc / laptop / hardware from, it doesn’t matter how many times you format and reformat they ALL have their quirks and backdoors, Our very own U.S.A. Based Microsoft Windows has a bevy of it’s own backdoors, most of which you will NEVER know about, at least this one was brought to the fore front and I am sure it will be addressed.

Leave a Reply

Your email address will not be published. Required fields are marked *

6 + 1 =