Lenovo patches serious vulnerabilities in PC system update tool
For the third time in less than six months security issues have forced Lenovo to update one of the tools preloaded on its PCs.
Last week, the company released version 5.07.0019 of Lenovo System Update, a tool that helps users keep their computers’ drivers and BIOS up to date and which was previously called ThinkVantage System Update. The new version fixes two local privilege escalation vulnerabilities discovered by researchers from security firm IOActive.
One of the vulnerabilities is located in the tool’s help system and allows users with limited Windows accounts to start an instance of Internet Explorer with administrator privileges by clicking on URLs in help pages. That’s because Lenovo System Update itself runs under a temporary administrator account that the application creates when installed, so any process it spawns will run under the same account.