Lumension® Endpoint Intelligence Center

Intelligence Center » News Archive » Lenovo patches vulnerabilities in system update service

Lenovo patches vulnerabilities in system update service


Threatpost - (International) Security researchers from IOActive reported that Lenovo patched three vulnerabilities in April including a serious bug that allows least privileged users to potentially run commands as a system administrator due to the use of a predictable authentication token, another in which an attacker could bypass signature validation by creating a fake certificate authority (CA) to swap out executables being downloaded by System Update, and a third in which local users could run commands as an administrator using a directory writeable by any user.


Note: This news synopsis is taken from the DHS Daily Open Source Infrastructure Report, a daily [Monday through Friday, except US Federal holidays] summary of open-source published information concerning significant critical infrastructure issues; a 10-day archive of the DOSIR can be found at:

Last Updated: 27 May 2016 10:24:15