Lenovo exposed users to "massive security risk"

PC manufacturer Lenovo has been accused of exposing customers to a “massive security risk” due to flaws in its pre-loaded software.

Vulnerabilities discovered by security vendor IOActive in February could have allowed attackers to replace trusted Lenovo applications with malicious applications.

One bug could have left Lenovo laptop users vulnerable to attacks involving hijacking a connection to a public Wi-Fi network.

Once compromised, attackers could have used the exploit to swap Lenovo executives with malicious software, bypassing signature validation checks.

The other two bugs would potentially allow attackers to gain greater control over systems than they should have access to, running malicious commands.

The flaws were patched in April but are only now being publicly disclosed.

Lenovo kicked up a storm in February after it was revealed to have pre-loaded its PCs with the hidden Superfish adware, potentially leaving users exposed to attacks.

The Chinese vendor was forced to release a tool to remove the software after an uproar.

Venafi vice president of security strategy and threat intelligence Kevin Bocek noted that the vulnerability was potentially very serious.

“With a compromised or forged certificate, you can masquerade as a trusted service, hide in encryption and go undetected,” he said, noting that Lenovo had fallen afoul of an issue facing many application developers.

“The system of trust that runs the internet is very fragile. Failing to validate a certificate properly gives bad guys the powerful weapons they need to circumvent security controls,” Bocek said

“Lenovo joins many others in not being prepared to secure the trust that’s established by keys and certificates... Lenovo is certainly not alone in its inability to properly validate digital certificates - this is just the tip of the iceberg.”

Image courtesy of Kārlis Dambrāns under CC