large image

Trusted Reviews is supported by its audience. If you purchase through links on our site, we may earn a commission. Learn more.

Lenovo machines suffer ‘Superfish’ sequel in new security fiasco

A security research firm has revealed a new set of security vulnerabilities on Lenovo systems.

Earlier this year, we reported on the ‘Superfish’ debacle, the uncovering of a serious bug that created a massive headache at Lenovo HQ.

Superfish potentially allowed third parties to create spurious authentication certificates that could bypass, for instance, your bank’s online security checks.

Now, IOActive researchers claim that fresh flaws were uncovered in February, although they’ve since been patched.

One of the vulnerabilities allowed attackers to create a fake certificate authority to sign executables, as reported by SCMagazine.

This means that third parties could create dodgy software that would pretend to be official Lenovo fare.

Related: Best Laptops, Ultrabooks, and Hybrids 2015

If, for instance, a user updated their laptop in a coffee shop, the security hole could be exploited to load a machine with the spurious software.

“The System Update downloads executables from the internet and runs them. As a security measure Lenovo signs its executables and checks the signature before running them, but unfortunately does not completely verify them. As a result, an attacker can create a fake certificate authority which can then be used to sign executables,” explained the researchers.

“Remote attackers who can perform a man-in-the-middle attack (the classic coffee shop attack) can exploit this to swap Lenovo’s executables with a malicious executable.”

The China-based manufacturer has now fixed the flaws as of last month’s patch, although users who haven’t updated their machines yet may still be vulnerable.

Why trust our journalism?

Founded in 2004, Trusted Reviews exists to give our readers thorough, unbiased and independent advice on what to buy.

Today, we have 9 million users a month around the world, and assess more than 1,000 products a year.

author icon

Editorial independence

Editorial independence means being able to give an unbiased verdict about a product or company, with the avoidance of conflicts of interest. To ensure this is possible, every member of the editorial staff follows a clear code of conduct.

author icon

Professional conduct

We also expect our journalists to follow clear ethical standards in their work. Our staff members must strive for honesty and accuracy in everything they do. We follow the IPSO Editors’ code of practice to underpin these standards.