Lenovo has issued a patch for a flaw in its computers, which researchers say could allow hackers to replace trusted apps with malicious versions.
Security researchers at IOActive said in an advisory detailing three separate vulnerabilities that hackers could bypass checks to ensure the integrity of apps, allowing them to run malware on an affected Lenovo machine.
“An attacker can create a fake [certificate authority] and use it to create a code-signing certificate, which can then be used to sign executables,” the advisory says. “Since the System Update failed to properly validate the certificate authority, the System Update will accept the executables signed by the fake certificate and execute them as a privileged user.”
The “high”-rated flaw affects all ThinkPad, ThinkCenter, and ThinkStation products, along with V, B, K, and E-series machines.
The latest security vulnerability comes in the wake of the company admitting it installed internet traffic-intercepting software on certain consumer notebooks. The company downplayed the controversy, but later issued a fix to remove the software.
Other flaws fixed by the update include a bug that allowed a lower-level user to skirt user restrictions in place, potentially allowing a malicious actor to run malware as a “system” user and a bug in how Lenovo’s system update service works to potentially allow an escalation of privileges.