The Register, as well as many other news sources, is reporting a new security vulnerability in Lenovo products.
Security researchers at IOActive uncovered a mechanism that would have allowed hackers to create a fake certificate authority in order to sign executables. The trick could be used to replace legitimate Lenovo programs with malware by hackers on the same untrusted wireless network, of the type commonly found in coffee-shops, pubs and transport hubs, as IOActive explains:
Local and potentially remote attackers can bypass signature validation checks and replace trusted Lenovo applications with malicious applications. These applications will then be run as a privileged user. The System Update downloads executables from the Internet and runs them.
Remote attackers who can perform a man in the middle attack (the classic coffee shop attack) can exploit this to swap Lenovo’s executables with a malicious executable.
You could find a more-to-the-point article on this, but The Register’s writing makes this story much more fun.
Gregg Eldred 