Security researchers find ‘massive risk’ in Lenovo computers

6 May 2015

A security firm found a flaw in Lenovo's security

Just three months after issuing an apology for installing dangerous adware on its computers, Lenovo is again being called out for its lack of security measures.

Security firm IOActive has revealed that in February its researchers warned Lenovo about flaws in its software that potentially allowed remote attackers to bypass signature validation checks and replace Lenovo applications with more malicious apps. These weaknesses could also lead to attackers obtaining greater control over a system than they should have.

As reported by the BBC, Lenovo has acknowledged the findings and urged users to download a patch to update their system. “Lenovo’s development and security teams worked directly with IOActive regarding their Lenovo System Update vulnerability findings and we value their expertise in identifying and responsibly reporting them,” the Chinese company said in a statement.

It’s another PR disaster for Lenovo after the PC manufacturer was found to be installing adware, known as Superfish, on its machines prior to sale. The software would direct Google searches and other websites to pop up with third-party adverts without the user’s permission. In an open letter released to journalists, Lenovo’s CTO Peter Hortensius admitted it was a major mistake to have begun the practice in the first place. “We saw published reports about a security vulnerability created by this software and have taken immediate action to remove it.

“Clearly this issue has caused concern among our customers, partners and those who care about Lenovo, our industry and technology in general. For this, I would like to again apologise. Now, I want to start the process of keeping you up to date on how we are working to fix the problem and restore your faith in Lenovo.”

PC security image via Shutterstock

Dean Van Nguyen was a contributor to Silicon Republic

editorial@siliconrepublic.com