Lenovo fixes two PC system update tool vulnerabilities

Lenovo has issued a patch which fixes vulnerabilities located in the software which comes preloaded with some of the laptops it sells.

The company recently released version 5.07.0019 of Lenovo System Update. This tool is made to keep the BIOS and drivers updated, previously called ThinkVantage System Update.

The patch “provides a direct connection to Lenovo Service and Support for ThinkPad and ThinkCentre drivers, software and BIOS updates”, and “helps maximize your system performance and minimize security vulnerability,” Lenovo said.

The vulnerabilities this patch fixes were spotted by researchers at IOACtive.

One of the vulnerabilities allowed users to start an Internet Explorer with administrator privileges, even though they weren't on the administrator account.

That was possible as Lenovo System Update itself runs under a temporary administrator account that the application creates when installed, so any process it spawns will run under the same account.

"From there, an unprivileged attacker has many ways to exploit the web browser instance running under Administrator privileges to elevate his or her own privileges to Administrator or SYSTEM," IOActive security researcher Sofiane Talmat said.

The second vulnerability is related to the way usernames and passwords are generated. Even though the passwords were randomly generated, the script was built in a predictable way.

"It is possible for an attacker to regenerate the same username based on the time the account was created," Talmat said.

"This means an attacker could under certain circumstances predict both the username and password and use them to elevate his or her privileges to Administrator on the machine.”