Lenovo issues patch for flaws in their computers
Posted by: Timothy Weaver on 05/07/2015 08:23 AM
[
Comments
]
Lenovo has issued a patch for a flaw in its computers.
The flaw could allow hackers to replace trusted apps with malicious versions.
IOActive security researchers said that they have found three flaws which could allow hackers to bypass checks to ensure the integrity of apps. That would allow the hackers to run malware on an affected Lenovo machine.
"An attacker can create a fake [certificate authority] and use it to create a code-signing certificate, which can then be used to sign executables," the advisory says. "Since the System Update failed to properly validate the certificate authority, the System Update will accept the executables signed by the fake certificate and execute them as a privileged user."
The "high"-rated flaw affects all ThinkPad, ThinkCenter, and ThinkStation products, along with V, B, K, and E-series machines.
Other issues fixed by the patch include a bug that allowed a lower-level user to skirt user restrictions in place, potentially allowing a malicious actor to run malware as a "system" user and a bug in how Lenovo's system update service works to potentially allow an escalation of privileges.
Source: ZDnet
The flaw could allow hackers to replace trusted apps with malicious versions.IOActive security researchers said that they have found three flaws which could allow hackers to bypass checks to ensure the integrity of apps. That would allow the hackers to run malware on an affected Lenovo machine.
"An attacker can create a fake [certificate authority] and use it to create a code-signing certificate, which can then be used to sign executables," the advisory says. "Since the System Update failed to properly validate the certificate authority, the System Update will accept the executables signed by the fake certificate and execute them as a privileged user."
The "high"-rated flaw affects all ThinkPad, ThinkCenter, and ThinkStation products, along with V, B, K, and E-series machines.
Other issues fixed by the patch include a bug that allowed a lower-level user to skirt user restrictions in place, potentially allowing a malicious actor to run malware as a "system" user and a bug in how Lenovo's system update service works to potentially allow an escalation of privileges.
Source: ZDnet
Comments
