Security researchers found another 'massive security risk' in Lenovo computersChinese PC maker issues a patch to fix multiple vulnerabilitiesBy Rich McCormick on May 6, 2015 12:08 am Email Three months after Lenovo was called out for installing dangerous software onto its computers, the world's largest PC manufacturer has once again been accused of lax security measures. Security firm IOActive reports that it discovered major vulnerabilities in Lenovo's update system that could allow hackers to bypass validation checks, replace legitimate Lenovo programs with malicious software, and run commands from afar.THE VULNERABILITIES WERE FOUND IN FEBRUARYThrough one of the vulnerabilities, IOActive researchers explained that attackers could create a fake certificate authority to sign executables, allowing malicious software to masquerade as official Lenovo software. Should a Lenovo owner update their machine in a coffee shop, another individual could conceivably use the security hole to swap Lenovo's programs with their own what the researchers call the "classic coffee shop attack." The security hole, along with others described by IOActive, are present in Lenovo System Update 5.6.0.27 and earlier versions.The vulnerabilities, which were first discovered by the security specialists back in February, were brought to Lenovo's attention at the time in order to allow the Chinese firm to develop a fix. The company issued a patch last month that removes the bugs, but owners of Lenovo machines will need to download the security update themselves in order to avoid having their computers compromised by what IOActive calls a "massive security risk." Lenovo may have reacted quickly to the problems, but as the world's number one PC manufacturer tries to grow even bigger, it's yet another embarrassing security hole in its software.THERE ARE 20 COMMENTS.SHOW SPEED READING TIPS AND SETTINGStreehuggrReason #5750 to get a surface pro over lenovo, or any other oem notebooks.Posted onMay 6, 2015 | 12:11 AMReplyM_Swizzle M_SwizzleWindows gets security patches too, along with every os and program.. Thats what monthly patch Tuesdays are for at MS.Lenovo did right, they patched it when discovered. They were prudent.Posted onMay 6, 2015 | 12:27 AMUp ReplyTinyLittleSeer TinyLittleSeerWhilst I hate OEM crapware as much as the next person this is actually a textbook example of how to handle a security flaw.Researchers found a vulnerability and notified Lenovo who promptly fixed the vulnerability and issued a patch, apparently before it was exploited in the wild.This is a non-issue and nothing like the Superfish adware.Posted onMay 6, 2015 | 12:55 AMUp Replyhamsah hamsahSurface is not a laptop. Lenovos hardware just forms windows high end. As the others have said, problem found, problem fixed, this is how it should be done.Posted onMay 6, 2015 | 2:28 AMUp ReplyEzhik EzhikWhat about the TrackPoint, the rollcage, replaceable batteries, DVD drives, more than 1 USB port, LAN, VGA, eSATA, mini-PCIe, user repairability, extendable RAM, replaceable storage, and fingerprint readers?Posted onMay 6, 2015 | 4:16 AMUp Replyldrn ldrnThose are all reasons in the other column.TrackPoint @ _ @Posted onMay 6, 2015 | 4:33 AMUp ReplyChaz_UK Chaz_UKScrew OEM preinstalled crap.First thing I do to a computer is install a fresh, virgin install of Windows.Posted onMay 6, 2015 | 12:16 AMReplyM_Swizzle M_SwizzleWindows and android have vulnerabilities as well that require patching. I understand getting upset about the last event with potential ad injection software, but this recent event is a discovered vulnerability that was patched when discovered, just as MS, Google, or any good company does.In other words, nothing to see here.Posted onMay 6, 2015 | 12:25 AMUp Replytrojan__market trojan__marketwhich is why I buy laptops from Microsoft store or if there is a good deal the first thing I do use windows key to reinstall OS before even using it. bloatwares are always problemisticPosted onMay 6, 2015 | 12:41 AMUp ReplySortoWhen W10 launches and you can buy W10 devices you no longer really have to do that, especially for people wo cant even buy one from MS like we in Europe.Id imagine you will probably see some Tutorials on various websites once they "discover" that feature, because in Windows 10 OEMs can no longer put a recovery image that can be used for online reset/refresh and instead have a little image that literally only has changes in it so you can delete the package or rename it and when you Refresh or reset Windows you get a clean Windows, its a bit more work but its a pretty good option if you cant buy a signature PC and it doesnt require you to download some .iso etc to re-install windows.Posted onMay 6, 2015 | 3:06 AMUp Replyldrn ldrnThats a lot like what I do, only its a different OS :smile:Posted onMay 6, 2015 | 4:34 AMUp Replygetsir getsirsecurity vulnerabilities or backdoors? why do i get a feeling that these might been intentionally left security bugs under the orders of Chinese government?Posted onMay 6, 2015 | 12:46 AMReplyNigelTufnelExactly. This is most likely not a mistake.Posted onMay 6, 2015 | 1:02 AMUp Replyjeevanmn jeevanmnThe truth is outPosted onMay 6, 2015 | 2:52 AMUp Replyechomrg echomrgnope, the "bugs" left under orders by the Chinese government arent found so easily.Posted onMay 6, 2015 | 3:36 AMUp ReplyJohnDavidsonLenovo was better under IBM.Posted onMay 6, 2015 | 1:36 AMReplyaThingOrTwo aThingOrTwoThinkpad?Posted onMay 6, 2015 | 3:51 AMUp ReplyiChiranjeeb iChiranjeebsecurity hole found and fixed. nothing to see here. move on.Posted onMay 6, 2015 | 2:03 AMReplyEzhik EzhikNo, lets keep shaming OEMs until we get crapless vanilla Windows on all new laptops.Posted onMay 6, 2015 | 4:18 AMUp ReplyVisa Declined Visa DeclinedIm glad this shit isnt happening to Asus.Posted onMay 6, 2015 | 4:13 AMReply