After the US Computer Emergency Readiness Team (US-CERT) called pre-installed Superfish “a critical vulnerability affecting Lenovo consumer personal computers,” several lawsuits leveled against Lenovo and adware maker Superfish were filed. Lenovo’s chief technology officer admitted, “We messed up badly.” But that almost seems like a mantra for Lenovo lately as the company is again in the news over a security snafu.

3 new security holes in Lenovo System Update

IOActive reported discovering three “high” severity security vulnerabilities in Lenovo System Update 5.6.0.27 and earlier versions. Lenovo’s System Update service was meant to keep users patched with the latest software and drivers, but IOActive found privilege escalation vulnerabilities in Lenovo’s service.

CVE-2015-2219 could allow local, least-privileged users to “run commands as the System user.” CVE-2015-2234 could allow local, unprivileged users to “run commands as an administrative user.” CVE-2015-2233 could allow local and potentially even remote attackers “to bypass signature validation checks and replace trusted Lenovo applications with malicious apps.” IOActive researchers Michael Milvich and Sofiane Talmat (pdf) added, “Arbitrarily executing commands sent by a malicious unprivileged user represents a massive security risk.”

Read the Full Article: Source – Computer World
http://www.computerworld.com/article/2920983/malware-vulnerabilities/more-lenovo-woes-3-security-flaws-website-clerical-errors-maybe-layoffs.html

source not found