Security researchers Michael Milvich and Sofiane Talmat from IOActive made public the flaws in the pre-installed software on Windows run Lenovo PCs in April. The researchers had discovered the flaws in February but gave time to Lenovo for patching the same. The researchers said that the vulnerabilities affect the Lenovo System Update software version 5.6.0.27 and earlier. The Lenovo System Update is a preinstalled software which was earlier known as ThinkVantage System Update and is present on Lenovo ThinkPad, ThinkCenter and ThinkStation laptops and tablets, as well as Lenovo V/B/K/E Series PCs. The researchers said that one of the flaw, which was rated as critical by them, centered on a “race condition,” in which attackers can make the System Update verify that an executable file is a legitimate one and then substitute a malicious executable file to overrun it for malicious purpose. “Lenovo System Update validates all system update files as they are downloaded from the Lenovo servers. However, if the local system contains malware, it is possible that the downloaded updates could be altered before installation,” Lenovo stated in the security advisory. The Lenovo security advisory states that users need to update the Lenovo software to version 5.06.0034 or later. “Lenovo System Update automatically checks for a [new] version whenever the application is run,” the company’s security advisory says. “Click OK when prompted that new version is available.” If you own a Lenovo PC or Laptop, you can download the patch from here.
