Lenovo PCs have Key Vulnerabilities - IOActive

According to IOActive, there are vital security flaws within the System Update utility of Lenovo, published techtimes.com, May 7, 2015.

After accessing the utility from the authorized website of Lenovo, the utility can be used for taking down recent drivers as well as security patches.

Alongside this, the utility can be used for launching malicious assaults like installing malware substituting genuine Lenovo programs, evading verification exercises or executing commands even from remote.

The researchers discovered that a particular vulnerability could let both remote as well as local attackers to elude verification of signature definitions while load malevolent software for trustworthy Lenovo software.

Consequently, Lenovo users might become susceptible to what is called "coffee-shop-assaults" wherein hackers compromise any connection serving publicly used wi-fi network.

An exploitation of the same could let an attacker switch over to a malevolent executable from Lenovo's executables, blog IOActive's investigators.

Two remaining vulnerabilities could enable hackers to acquire some increased control of any PC against the scale they would be entitled for. With that they could potentially execute sinister instructions, says security expert Prof. Alan Woodward at UK's Surrey University. BBC reported this, May 6, 2015.

Woodward adds that Lenovo has been known again as short of adequate security. The system apparently is exposing end-users towards possible hacking from remote.

During February 2015, IOActive drew Lenovo's attention to the security flaws, thus giving enough time to the Chinese company in repairing the problem. In April 2015, Lenovo issued a security patch for rectifying the flaws. Now it's for Lenovo's users towards pulling down these patches.

Remarking about the problem, Security, Strategy and Threat Intelligence Vice-President Kevin Bocek at Venafi contended that end-users' faith with which the Internet continued to operate securely was extremely fragile. Infosecurity-magazine.com reported this, May 7, 2015.

Bocek further said that it wasn't Lenovo alone with the incapability for adequately substantiating digital certificates; there were numerous others too adding that just as the vulnerability indicated incase certificates could be compromised, remaining security controls could collapse.

As vulnerabilities and their exploitations rapidly grew, it was currently more than any time necessary for considering safeguarding certificates and codes gravely, he concluded.

» SPAMfighter News - 5/15/2015