PC manufacturer Lenovo Group Ltd. has been accused of exposing its users to a “massive security risk” after researchers found major flaws in its software. Researchers from the security firm IOActive discovered a way for hackers to create fake security certificates that would let them sign executables, allowing them to replace Lenovo’s own programs with malware over unsecured wireless networks.
If users updated their machine over an unsecured network, like those commonly found in coffee shops and airports, they could end up downloading malware, the security firm warned in an advisory statement released this week.
Two other flaws were also discovered that could allow attackers to gain a greater level of control over a machine, letting them run malware as a system user, opening the door for malicious commands, according to security expert Alan Woodward of Surrey University. "Lenovo have been found wanting again on the security front," he told the BBC. "They seem to be exposing users to potential remote hacking this time."
The vulnerabilities were brought to Lenovo’s attention by IOActive in February, allowing the Chinese firm enough time to fix the problem. "Lenovo’s development and security teams worked directly with IOActive regarding their Lenovo System Update vulnerability findings," Lenovo said in a statement, the Verge reported Wednesday, adding: "and we value their expertise in identifying and responsibly reporting them."
Last month, the company released a patch to address the flaws. Lenovo users will need to download these security updates themselves in order to plug the risk. However, the findings of IOActive were made public only this week.
The revelation comes just three months after it was discovered that the world’s largest PC manufacturer had packaged the “Superfish” adware with its products, which intercepted its users’ Internet traffic, forcing them to see advertisements.