Lenovo machines suffer ‘Superfish’ sequel in new security fiasco

A security research firm has revealed a new set of security vulnerabilities on Lenovo systems.

Earlier this year, we reported on the ‘Superfish’ debacle, the uncovering of a serious bug that created a massive headache at Lenovo HQ.

Superfish potentially allowed third parties to create spurious authentication certificates that could bypass, for instance, your bank’s online security checks.

Now, IOActive researchers claim that fresh flaws were uncovered in February, although they’ve since been patched.

One of the vulnerabilities allowed attackers to create a fake certificate authority to sign executables, as reported by SCMagazine.

This means that third parties could create dodgy software that would pretend to be official Lenovo fare.

Related: Best Laptops, Ultrabooks, and Hybrids 2015

If, for instance, a user updated their laptop in a coffee shop, the security hole could be exploited to load a machine with the spurious software.

“The System Update downloads executables from the internet and runs them. As a security measure Lenovo signs its executables and checks the signature before running them, but unfortunately does not completely verify them. As a result, an attacker can create a fake certificate authority which can then be used to sign executables,” explained the researchers.

“Remote attackers who can perform a man-in-the-middle attack (the classic coffee shop attack) can exploit this to swap Lenovo’s executables with a malicious executable.”

The China-based manufacturer has now fixed the flaws as of last month’s patch, although users who haven’t updated their machines yet may still be vulnerable.