Advertisement

We need your help now

Support from readers like you keeps The Journal open.

You are visiting us because we have something you value. Independent, unbiased news that tells the truth. Advertising revenue goes some way to support our mission, but this year it has not been enough.

If you've seen value in our reporting, please contribute what you can, so we can continue to produce accurate and meaningful journalism. For everyone who needs it.

AP Photo/Ron Harris

Lenovo computers have another 'massive security risk'

A patch for the issue has already been released, but users need to update manually.

Updated: 12:55

THREE MONTHS AGO, Lenovo got into trouble over Superfish, a software add-on which was to bring up extra ads but instead carried a serious security flaw, allowing any hacker to carry out man-in-the-middle attacks remotely.

Now another major security flaw has emerged, allowing hackers to bypass security checks, replace Lenovo software with their own and issue commands remotely.

The security firm IOActive discovered the flaw back in February and informed Lenovo of the problem who then issued a patch at the beginning of April.

Describing it as a “massive security risk”, one issue would allow basic user profiles to be changed so they gain admin-level access to a PC, allowing them to run any programmes or commands they wish.

Another issue would allow remote attackers to replace trusted Lenovo applications with their own malicious versions by creating fake certificates for files.

While a patch has been issued, users still need to download the update themselves so if you have System Update 5.6.0.27 or earlier on your Lenovo computer, you need to update it otherwise you’re at risk.

Lenovo issued a statement relating to the security flaw and patch.

Lenovo’s development and security teams worked directly with IOActive regarding their System Update vulnerability findings, and we value their expertise in identifying and responsibly reporting them.Lenovo released an updated version of System Update on April 1st which resolves these vulnerabilities and subsequently published a security advisory in coordination with IOActive at: https://support.lenovo.com/us/en/product_security/lsu_privilege.

Existing installations of System Update will prompt the user to automatically install the updated version when the application is run. Alternatively, users may manually update System Update as described in the security advisory.  Lenovo recommends that all users update System Update to eliminate the vulnerabilities reported by IOActive.

Read: ‘Dave was my rock’: Sheryl Sandberg takes to Facebook to remember her husband >

Read: Skype may be about to get a name change >

Readers like you are keeping these stories free for everyone...
A mix of advertising and supporting contributions helps keep paywalls away from valuable information like this article. Over 5,000 readers like you have already stepped up and support us with a monthly payment or a once-off donation.

Author
Quinton O'Reilly
View 18 comments
Close
18 Comments
    Submit a report
    Please help us understand how this comment violates our community guidelines.
    Thank you for the feedback
    Your feedback has been sent to our team for review.
    JournalTv
    News in 60 seconds