On the 25th of November 2 elevation of privilege (defined) security issues (CVEs, defined) were discussed by security firm IOActive relating to Lenovo’s System Update application. This application is used to automatically download and install updates from Lenovo for systems such as ThinkPads and ThinkStations (among others).
Why Should These Issues Be Considered Important?
If an attacker were to use the first issue responsibly disclosed (defined) by IOActive, the attackers could have opened Internet Explorer with Administrative privileges. As discussed by IOActive these additional privileges could then be used by an attacker to obtain System level privileges over the affected system giving them complete control over it.
The second remaining issue related to how a temporary Windows administrative account is created and used by System Update specifically how it’s username and password are generated. The username contains a sequence of characters (otherwise known as a string) that is predictable. The password for the temporary account can be generated using 1 of 2 methods, it is the second method that has also been found to be predictable. If an attacker were to exploit this second issue they could potentially obtain administrative privileges over the affected system.
How Can I Protect Myself From These Issues?
Lenovo have released a security advisory that contains details on how to obtain the most recent version of System Update that addresses these issues. If you have Lenovo System Update installed, I would recommend installing the most recent version of System Update as soon as possible in order to protect yourself from these issues.