Lenovo rushed to fix post-Superfish 'massive security risk'

Firm moved quickly to clean up man-in-the-middle flaw

Lenovo was hit by another security alert just weeks after Superfish, in what some described as a 'massive security risk' in its systems.

The problem was uncovered by IOActive Lab researchers who found that a flaw in System Update could be exploited to install software on a victim's machine.

"Local and potentially remote attackers can bypass signature validation checks and replace trusted Lenovo applications with malicious applications," said an IOActive security report (PDF).

"These applications will then be run as a privileged user. The System Update downloads executables from the internet and runs them.

"Remote attackers who can perform a man-in-the-middle attack can exploit this to swap Lenovo's executables with a malicious executable. The System Update uses TLS/SSL to secure its communications with the update server, which should protect against [such] attacks."

IOActive told Lenovo about its discovery and the companies worked together on a solution which has now been implemented.

Lenovo told V3 that it was glad of the assistance, and that a patch was released in April. The firm recommended that users download that update if they have not already. It is available through both company's websites.

"Lenovo's development and security teams worked directly with IOActive regarding their Lenovo System Update vulnerability findings, and we value their expertise in identifying and responsibly reporting them," the firm explained.

"Existing installations of Lenovo System Update will prompt the user to automatically install the updated version of the program when the application is run.

"Alternatively, users may manually update System Update as described in the security advisory. Lenovo recommends that all users update System Update to eliminate the vulnerabilities reported by IOActive."

Lenovo suffered a serious backlash during the Superfish debacle, and suggested that all its customers keep their machines as up to date as possible.

"In general, Lenovo encourages its users to keep their systems up to date by allowing automatic updates to run when prompted," the firm said.