back to article Lenovo system update flaws plugged, security world not impressed

Lenovo faces renewed accusations of lax security practices - just three months after the Superfish debacle - after it was obliged to fix flaws in its software update system. Security researchers at IOActive uncovered a mechanism that would have allowed hackers to create a fake certificate authority in order to sign executables …

  1. regadpellagru

    Just wondering why ...

    I'm just wondering what is the justification for Lenovo or any PC maker to have ANY update system at all on the user-owned (pun strongly sugested) PC ?

    WHY ? Even if it was not Lenovo, I'd do everything to remove this updater.

    1. Mark Allen

      Re: Just wondering why ...

      It always puzzles me too. All they seem to do is update the bloatware on the computers. Driver updates usually get abandoned by many of the manufacturers within a few months of release.

      When setting up new machines, after one check of the manufacturers update tools it will then be removed. Too many of them have these kinds of issues in them, or are just blatant processor wasters with constant daily checks.

    2. BMG4ME

      Re: Just wondering why ...

      Because they update important software. I am not removing System Update, in fact it's usually one of the first things I look for when I get a new Lenovo system, to make sure that it's there.

      Putting this into perspective, I am just looking at the list of installed Microsoft Windows "Security Updates" on this PC - there are 257 of them, many of them I am sure released by Microsoft to patch flaws no less serious than the ones discovered in System Update.

      These are my personal views.

  2. This post has been deleted by its author

    1. FrankAlphaXII
      Thumb Up

      I'd bet they have people working 24/7/365, I would not be surprised at all if there's a full shift of people in the war room and working on other things there at all times.

      I agree 100% that their writings are definitely worth looking at though. Its good stuff if you care about security at all.

      1. englishr
        Headmaster

        "I'd bet they have people working 24/7/365, "

        Gadzooks - working 365 weeks a year! No wonder they're so productive.

        1. Anonymous Coward
          Anonymous Coward

          Actually I think it's pretty irresponsible to publicize flaws, and to do so when they have been fixed, is just plain rude.

  3. marturion

    Do anyone think that this is an oversight?

    Lenovo is a PRC company, Does anyone really think this is sloppiness or simply sloppiness as a cover to allow the PRC access.

    1. Anonymous Coward
      Anonymous Coward

      Re: Do anyone think that this is an oversight?

      Actually if you look at where Lenovo's research and development takes place and where the systems are manufactured, you would see that Lenovo's PCs are no more Chinese than any other company's, probably less so.

  4. FrankAlphaXII
    Flame

    To hell with Lenovo, seriously

    My Lenovo doesn't have anything like this because I blasted their crapware laden Windows 8 abortion off that hard drive as fast as I possibly could and clean installed Windows 7. But then again, after Superfish and my experience with that computer's weirdness, I'm never buying from them again.

    I kind of second the post above me, giving the PLA access to whatever they sell is probably a concern for them, and they're probably backdoored to hell and back, I wonder if there are any hardware backdoors because I formatted everything with GParted after finding the weird partitions with DISKPART. DISKPART found two extra partitions when I ran it, one was big enough to run Linux or *BSD (with KDE or GNOME even, it was a good sized partition, like a couple/few GiB), on my hard drive when I was preparing for the Windows 7 install, it was really strange because they weren't the recovery partition at all, had a different file system even, so I switched over to GParted to have a look and finished the formatting part of the install with it. I called them and asked them what was up with them, because I didn't want to brick the computer and I've never gotten an answer as to why they were there. They did say I could delete them and the computer would be fine, but nothing else.

    Those partitions lasted as long as Windows 8 did on that computer. All I know is that I don't trust them after my own experience with Lenovo's customer service idiots himming and hawing to me about what the deal was and not explaining anything really, and then the Superfish fiasco.

    Also, don't be too surprised if the Wumao/50 Cent Army and Putinistas downvote you for complaining about Lenovo or Kaspersky. Its an occupational hazard.

    1. Anonymous Coward
      Anonymous Coward

      Re: To hell with Lenovo, seriously

      The good news is you could delete them and reload.

      I've heard of machines inflicted with a particular strain of malware called "Windows with Bing" that would hang during (real) Windows Setup.

  5. W. Anderson

    Lenovo non-business mentality

    In light of Lenovo's recent purchase of IBM X86 "Server" business for sales and services to small business and organizations, and it's Superfish Desktop PC debacle, it is incredulous that Lenovo has also refused to sell and support their newly purchased server line with RedHat or any Enterprise Linux or BSD based infrastructure OS software that underpins the established, proven, more secure and stable server OS software demanded nationally and globally, in a genuine effort to gain back some sense of competence in and seriousness about business computing.

    Professional technology associates have indicated learning that Lenovo is so beholden to Adware companies and Microdoft for Windows in lock-down long term contracts, that tthe company will unlikely be able to address the reliability, security and modern corporate technology requirements for Cloud Computing Services with Containeration and enterprise Mobile computing integration with Apple iOS, Android and to lesser degree Blackberry connction that is in high demand, for years to come.

    Almost every "consumer grade and mentality" technology company has been unable to understand, much less adapt to modern business technology needs successfully. It appears Lenovo is following in the footsteps of Sony Corporation.

    1. Anonymous Coward
      Anonymous Coward

      Re: Lenovo non-business mentality

      That's actually not true regarding Linux on x86.

    2. RugerAoh

      Re: Lenovo non-business mentality

      Not sure what your motivation was to post this, but it complete bologna.

      http://shop.lenovo.com/us/en/systems/software/os/?menu-id=operating_systems

  6. Randall Shimizu

    It's a bit odd and disappointing that Lenovo would allow this adware on users systems. Lenovo's actions have tarnished their reputation. On one hand Lenovo has a probably the best reputation from a hardware perspective especially with their T-series laptops.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like