Less than three months after Lenovo’s embarrassing Superfish fiasco, the Chinese PC maker is under the microscope once again. Security research firm IOActive recently disclosed that it found a trio of vulnerabilities related to the company’s System Update feature.
One of the vulnerabilities allows both local and remote attackers to replace trusted Lenovo applications with malicious apps of their own that can then be run as a privileged user. Another flaw takes advantage of a weakness in Lenovo’s security token system while the third vulnerability lets unprivileged local users run commands as an administrator.
Fortunately for Lenovo, IOActive did the right thing and reported the vulnerabilities before going public with their findings. This gave the PC maker plenty of time to get the issues worked out via a patch issued last month. The flaws were originally discovered by Michael Milvich and Sofiane Talmat.
The flaw is said to affect all ThinkPad, ThinkCenter and ThinkStation products as well as B, E, K and V-series systems.
You can determine the currently installed version by opening Lenovo System Update, clicking on the green question mark in the top right corner and then selecting “about.” If you are running version 220.127.116.11 or earlier, you’ll want to go ahead and update as soon as possible. Another option would be to simply wipe your device and install your own copy of Windows.