Lenovo has been accused of putting users at "massive security risk" through newly-discovered flaws in its online product update service which allow hackers to download malware onto user systems through a man-in-the-middle (MiTM) attack.
The holes were revealed by security firm IOActive, just weeks after Lenovo was found to be shipping PCs with pre-installed ‘Superfish' adware that also left its users open to MITM attacks.
In an advisory today, IOActive researchers Michael Milvich and Sofiane Talmat said they had discovered “high-severity” privilege escalation vulnerabilities in Lenovo's system update service, which enables users to download the latest drivers and other software, including security patches, from Lenovo's website.
The researchers found the flaws in February, and have now gone public after giving Lenovo time to develop a patch, which the company issued last month.
But while the patch fixes the problems, users have to download the security update to protect themselves.
Milvich and Talmat said one of the vulnerabilities, CVE-2015-2233, allows local and remote hackers to bypass the device's signature validation checks and replace trusted Lenovo applications with malware.
Another bug, CVE-2015-2219, is a weakness in Lenovo's security token system, which means least-privileged users could gain high-level access to Lenovo PCs, laptops and other devices and run their own malicious commands and programs.
“Arbitrarily executing commands sent by a malicious unprivileged user represents a massive security risk,” the researchers said.
A third flaw, CVE-2015-2234, allows local unprivileged users to run commands as an admin user.
The problems affect Lenovo System Update 126.96.36.199 and earlier versions.
The researchers said through the first bug, attackers can create a fake certificate authority to sign executables as Lenovo does not completely verify executables after they are downloaded through the system update.
“Remote attackers who can perform a man-in-the-middle attack (the classic coffee shop attack) can exploit this to swap Lenovo's executables with a malicious executable.”
Lenovo has been plagued by security problems in recent months and the latest privilege escalation flaws have drawn criticism from independent cyber security experts.
John Walker, director of security services firm ISX and a visiting professor at Nottingham-Trent University, said Lenovo had "clearly deployed a facility that is not fit for purpose, nor robust".
“Hackers these days are saying ‘you know what, if you want to hack something, don't think of anything new, use the systems and mechanisms that are there already'," he said.
“Hackers can see here a way of getting into something that is clearly not tied down, and it's an ideal way of delivering potentially thousands of Trojans into corporate environments.”
Sofiane Talmat, a senior security consultant for IOActive, confirmed Lenovo has patched the problems, but pointed out that users have to download the latest version of the Update software to be secure.
Lenovo said it valued IOActive's responsible reporting of the issue.
"Lenovo released an updated version of Lenovo System Update on April 1st, which resolves these vulnerabilities. We subsequently published a security advisory in coordination with IOActive," a spokesperson said.
"Existing installations of Lenovo System Update will prompt the user to automatically install the updated version when the application is run. Alternatively, users may manually update System Update as described in the security advisory. Lenovo recommends that all users update System Update to eliminate the vulnerabilities reported by IOActive."