Just a few weeks after Lenovo was outted for using critically flawed adware that bypassed security and allowed attacks, researchers discovered another serious Man-In-The-Middle flaw.
A Man-in-the-Middle attack allows a bad guy to pretend he is someone you trust. In the case of Lenovo, the System Update feature could be compromised so that an attacker could use it to install malware. Yuck.
The researchers explain:
The System Update downloads executables from the internet and runs them. As a security measure Lenovo signs its executables and checks the signature before running them, but unfortunately does not completely verify them. As a result, an attacker can create a fake certificate authority which can then be used to sign executables.
Remote attackers who can perform a man-in-the-middle attack (the classic coffee shop attack) can exploit this to swap Lenovo’s executables with a malicious executable.
If you have a Lenovo laptop, make sure you update it right now! Lenovo has a guide showing you how to do so. The problems affect Lenovo System Update 18.104.22.168 and earlier versions, but you can let System Update tell you if you need an updated version.
But since the security flaw is with the System Update itself, you should definitely do so from a private network such as your home or office, not a public network such as a coffee shop.