Wednesday, 25 November 2015

Lenovo Used Insecure Password For Admin Account

Computer manufacturer Lenovo has released an update to the System Update tool that fixes two critical vulnerabilities could allow a local attacker to gain system or administrator rights. The software is installed on most Lenovo computers and checks for new versions of drivers and other software. Using the software, users can also download and install updates.

The first issue (pdf) in the System Update tool concerned the temporary system administrator account that Lenovo created.This account was generated in a predictable name and insecure password, which allows a local user could then gain admin privileges. The second problem (pdf) concerned a legal problem which allows a local unprivileged user could execute Windows commands with system privileges.

Both vulnerabilities were discovered by security firm IOActive in October and early November reported to Lenovo. The computer manufacturer came last week, 17 days after the notification, with an update to the System Update tool. Then are the details of the vulnerabilities now publicly made, including a proof-of-concept that shows one of the attacks. Lenovo users are advised to install version 5.07.0019 or later of the System Update tool.

No comments:

Post a Comment