Lenovo System Update Patched Against Security Issues

On the 25th of November 2 elevation of privilege (defined) security issues (CVEs, defined) were discussed by security firm IOActive relating to Lenovo’s System Update application. This application is used to automatically download and install updates from Lenovo for systems such as ThinkPads and ThinkStations (among others).

Why Should These Issues Be Considered Important?
If an attacker were to use the first issue responsibly disclosed (defined) by IOActive, the attackers could have opened Internet Explorer with Administrative privileges. As discussed by IOActive these additional privileges could then be used by an attacker to obtain System level privileges over the affected system giving them complete control over it.

The second remaining issue related to how a temporary Windows administrative account is created and used by System Update specifically how it’s username and password are generated. The username contains a sequence of characters (otherwise known as a string) that is predictable. The password for the temporary account can be generated using 1 of 2 methods, it is the second method that has also been found to be predictable. If an attacker were to exploit this second issue they could potentially obtain administrative privileges over the affected system.

How Can I Protect Myself From These Issues?
Lenovo have released a security advisory that contains details on how to obtain the most recent version of System Update that addresses these issues. If you have Lenovo System Update installed, I would recommend installing the most recent version of System Update as soon as possible in order to protect yourself from these issues.

Thank you.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s