Researchers at security company IOActive revealed a vulnerability they ranked as “High” severity on Lenovo computers. The security flaw renders user privileges on the computers nearly useless. It could, for example, allow a user with a guest account to access any part of the system.
According to Internet security SC Magazine, the weakness “means least-privileged users could gain high-level access to Lenovo PCs, laptops and other devices and run their own malicious commands and programs.”
Lenovo has released a patch for the vulnerability. IOActive alerted them of the hole in February, and according to a statement from Lenovo, the two companies worked together to fix the vulnerability which was in the Lenovo System Update.
The latest finding adds to a growing list of serious vulnerabilities on Lenovo computers.
In mid-February, researchers found Lenovo computers were shipping pre-installed with malware that could spy on users and send them to fake Web pages.
The “Superfish” adware was found installed on all consumer Lenovo laptops, and was designed to inject ads into the user’s Web browser, send their browser information back to the computer, and monitor the user’s activity.
The vulnerability also installed a fake Web certificate that would enable it to send users to fake websites that appeared real.
“We trust our hardware manufacturers to build products that are secure,” wrote security researcher Marc Rogers on his blog. “In this current climate of rising cybercrime, if you can’t trust your hardware manufacturer, you are in a very difficult position.”
“When bad guys are able to get into the supply chain and install malware, it is devastating,” he wrote, noting that “Lenovo has partnered with a company called Superfish to install advertising software on its customer’s laptops.”
A representative from Lenovo said they have “ceased the product relationship with the makers of Superfish” and said “such programs will not appear as preloaded software on Lenovo machines in the future.”