by Paul Ducklin on May 11, 2015 | 1 Comment

FILED UNDER: Featured, Vulnerability

Laptop megabrand Lenovo was all over the news recently thanks to a preinstalled utility calledSuperfish.

Lenovo's motivation for choosing Superfish seems to have been entirely innocent, but nevertheless ended in tears, especially for Lenovo.

The program supposedly boosted the accuracy and relevance of image searches you did; in return, the company bankrolling the Superfish system could make money at the other end by putting relevant advertisers in front of you.

That's sort of what Google and others do with their search engine, except that Superfish was preinstalled, and hooked into your browsing, making it less obvious that you were giving away search information to a third-party company in the on-line advertising industry.

But that wasn't the really bad part.

Superfish also quietly included a module to peek inside your dealings even with encrypted websites, using the same sort of technique as security software that scans encrypted web traffic for exploits, scams, malware and more.

Unfortunately, the Superfish vendor completely botched up the cryptography, theoretically making it trivial for a well-informed crook not only to trick you into trusting a fake website, but also to trick your computer into trusting any software that you downloaded from it.

We quickly published instructions to help you get rid of Superfish, so that you no longer had to worry about any side-effects it might have; happily, Lenovo soon followed suit with removal instructions and a removal toolkit of its own.

Lessons learned; problem solved; move on.

Back in the news

Sadly for Lenovo, the company is now back in the news with another security problem, but this time it's in the company's own System Update software.

System update tools can be a exploiter's dream, because they are usually designed to let an unprivileged but authorised user (i.e. you if it's the personal laptop you bought to use at home) kick off updates without having to login as an administrator first.

That's actually good for security if done well, for a variety of reasons:

• It makes official updates easy, so you are less inclined to put them off "until next time."
• You can let others in your family apply updates without giving them the administrator password.
• You don't need to login as administrator at all, which reduces your time exposed to danger.

Obviously, however, system update tools that accidentally give too much power to an unprivileged user are a bad thing, because that turns them into an Elevation of Privilege (EoP) security hole.

Unfortunately, when bug-hunters IOActive took a recent expedition into Lenovo's System Update software, they found that it was too liberal in how much power it put in the hands of users who weren't supposed to have it.

Simply put, Lenovo's update service did include an authentication system that was supposed to limit accessto specific users, but the password (more correctly, what's known as a security token – a special blob of data that is supposed to be unique) could easily be guessed.

So any user on the system could pretend to be authorised to communicate with the update service.

To make things worse, the commands that the update service could handle were of a general nature, such as "please run this command for me."

In other words, any user, even an unprivileged one, could run any command as the SYSTEM account, simply by asking Lenovo's System Update service politely.

Command line utilities available on every Windows computer make it easy for privileged users to do useful tasks such as changing passwords, creating accounts, altering file access permissions, opening up network shares, installing new software and much more.

But you definitely don't want to let unprivileged users do any of those things, even if all you are worried about is accidents.

Add in the risks of users, internal or external, with malicious intent and the risks are even worse.

What to do?

This was all privately disclosed to Lenovo, and fixed before IOActive made its bulletin public.

That's the right way to deal with holes of this sort, in our opinion.

Anyone who already knew about this hole could have exploited it anyway; those who didn't were given a decent opportunity to fix the hole forever.

(Yes, it seems that Lenovo did indeed use System Update to patch System Update, giving a simple but tidy closure to the problem.)

NB. According to IOActive, Lenovo System Update at version 5.6.0.27 or earlier is vulnerable. If you have a later version, you should be immune to this vulnerability. You can check the version number of third-party software installed on Windows usingControl Panel | Programs | Programs and Features. In the Detailsview, you should see the columns Name, Publisher, Installed On, Size and Version.