Lenovo Patches Serious Vulnerabilities In PC System Update Tool

itwbennett writes: "For the third time in less than six months security issues have forced Lenovo to update one of the tools preloaded on its PCs," writes Lucian Constantin. Last week, the company released version 5.07.0019 of Lenovo System Update, a tool that helps users keep their computers' drivers and BIOS up to date and which was previously called ThinkVantage System Update. The new version fixes two local privilege escalation vulnerabilities discovered by researchers from security firm IOActive.

We patched your patch

[JustAnotherOldGuy]

So they patched the vulnerable tool that was supposed to fix vulnerabilities, and probably introduced some more vulnerabilities along the way. Bravo!

Dear Lenovo, please stop. Any more 'help' like this and you'll be the death of me.

Re:We patched your patch

[drinkypoo]

The only real problem is the whole goddamned mindset of releasing these tools without extremely careful development and testing. Most tools can be flimsy but when they hit the network you have to take real care, and a lot of people seem to treat it like any other situation. It isn't. That's not to say that you can just start trusting inputs when you read a file from disk or anything, but pretending that the network isn't fundamentally different is just pretending.

A tool to download updates is a good idea. Having the vendor develop it isn't, which is just another reason why Linux package management beats the living crap out of Windows. If your vendor cares enough to integrate, they can deliver you updates in a secure and timely fashion without increasing your attack surface.

Re:We patched your patch

A properly designed tool to download these updates is a great idea. But I have yet to see one that is properly designed.

A properly designed update tool should be:
- Able to check a "manifest" of already-applied updates. This does not require admin privileges.
- Able to check an internet location for a "manifest" of available updates. This does not require admin privileges.
- Able to compare the two manifests and determine if any further downloads are needed. This does not require admin privileges.
- Able to download any required updates as executable installer packages. This does not require admin privileges.
- Able to launch any downloaded packages within the operating system. This does not require admin privileges.

From there, the OS should ask for admin/sudo/UAC/whatever before it executes each installer package.

Re:We patched your patch

[Teckla]

The real problem, in my opinion, is that most companies simply don't take software development seriously.

Companies want software done cheap and fast, and the result is entirely predictable: buggy, unstable, insecure software.

Re:We patched your patch

[drinkypoo]

A properly designed tool to download these updates is a great idea. But I have yet to see one that is properly designed.

A properly designed update tool should be:
- Able to check a "manifest" of already-applied updates. This does not require admin privileges.

I have yet to see a Linux (or indeed Unix) package tool which doesn't provide a mechanism to find out what version of a package is installed.

- Able to check an internet location for a "manifest" of available updates. This does not require admin privileges.

That's what e.g. apt does. You don't need root to do it, either. You can simulate all day without root.

- Able to compare the two manifests and determine if any further downloads are needed. This does not require admin privileges.

Apt will outright spit out the URLs for the downloads.

- Able to download any required updates as executable installer packages. This does not require admin privileges.

Why do they need to be executables? If there's a package management system there to handle the files? This is a red herring. Ignored.

- Able to launch any downloaded packages within the operating system. This does not require admin privileges.

Having printed the list of packages, and downloaded the packages, I can unpack them and do as I like with their contents.

You can probably do all this stuff with rpm without privilege elevation but I haven't had to deal with rpm in ages, so I can't speak to that.

Re:We patched your patch

You're missing the point, probably intentionally. These vulnerabilities keep cropping up in Windows-based update tools. Thus every single concern posted above is valid. On a related topic, nobody gives a shit what your preferred Linux package manager does or why it does it, because it "just works" and has done so happily for the last 15 years. It's also entirely irrelevant to anyone that uses Windows.

And more specifically...

Why do they need to be executables? If there's a package management system there to handle the files? This is a red herring. Ignored.

This is the one point that should never be ignored. If the updater has access to the raw files, then it has the job of actually installing them where they need to go, and it would need admin privileges for that. And since the entire point of the post was that the updater shouldn't have admin privileges, well, this isn't a red herring, and this shouldn't be ignored.

The idea of having executable installers is that the installer, not the downloader, has the onus placed upon it to ask for admin privileges. In this sense, package managers are against the Unix philosophy. They do two things: they download and they install. If either one of those things requires privilege escalation, then the entire process has escalated privileges, whether it needs those privileges or not.

Re:We patched your patch

[drinkypoo]

This is the one point that should never be ignored. If the updater has access to the raw files, then it has the job of actually installing them where they need to go, and it would need admin privileges for that. And since the entire point of the post was that the updater shouldn't have admin privileges, well, this isn't a red herring, and this shouldn't be ignored.

Well, no. The comment never actually insisted that you be able to install updates without privilege escalation. Go read it again! And frankly, the suggestion that you should be able to is a stupid one. There are lots of reasons why you shouldn't be able to do that, and I should not have to enumerate them here for you. If you have any IT experience at all, you should know what several of them are.

The idea of having executable installers is that the installer, not the downloader, has the onus placed upon it to ask for admin privileges.

Good news! You can download the packages without privilege escalation! The installer is a separate tool, which won't work without it. You need privilege escalation to update the list of installed packages (with good reason) and you need it to update the list of available packages (also with good reason) but you can in fact schedule the list updates, and you only need to update the list of installed packages when you are installing packages.

There are very good reasons to protect installed packages. Do not make me explain them to you.

Re:We patched your patch

[meadow]

Excuse me, but this is on the spectrum of things a rather minor security flaw that was found, no different than the hundreds of other minor flaws with other software components of any system that are constantly being patched. If you don't like flaws, then don't use computers.

This particular one had to do with a rather obscure possibility of escalating privileges when using a system update tool and which would have required an actual account on the computer to even execute.

I'm sick of these people pooing their pants with their reactions in some of the posts here.

Re:We patched your patch

[JustAnotherOldGuy]

What's your point?

Re:We patched your patch

[arglebargle_xiv]

Probably not too far from the truth, here's excerpts from the changelog:

<5.07.0019> 2015-11-11 release
- [Important] Implement some security enhancement
<5.07.0013> 2015-09-29 release
- [Important] Implement some security enhancement for standard user account.
<5.07.0008> 2015-09-10 release
- [Important] Implement some security enhancement to secure the access to directory and exectuable files.
New in 2015-06-24 release
- Fixed some issues.
New in 2015-03-27 release
- Fixed some security issues
[...]

Looks like they're trying to give Oracle/Adobe a run for their money...

Re:We patched your patch

[meadow]

Just that there are always vulnerabilities being found in all kinds of software, so it seems unfair to single out Lenovo as if they're doing something particularly wrong.

For example if you run a Linux system and keep it updated you will see a fairly constant stream of updates to packages on the system occurring all the time. Vulnerabilities are a drag but unfortunately they are just part of the landscape of IT infrastructure so I don't think its fair to make Lenovo look bad in this case.

I could go into the changelogs for all the recently updated packages on my Linux systems and give you a long list of all sorts of vulnerabilities that have been fixed with some very major software, but I wouldn't really get upset at them about it unless it was some extremely serious thing that was a result of deliberate negligence or something.

Re:We patched your patch

[JustAnotherOldGuy]

I have to admit, I get a certain amount of amusement when someone writes a long, serious, and well thought-out response to a joke comment of mine. It's enough to make me think that some of the people on slashdot might just be humor-impaired.

Why doesn't Slashdot report on systemd's bugs?

If Slashdot is going to report on every little bug that affects software that comes with Lenovo laptops, then Slashdot should also report on every bug that affects systemd, which comes with pretty much every single modern Linux installation.

Most of us here do not have Lenovo laptops, and never will. But most of us here do run Linux, and have been negatively affected by systemd. We find news about systemd's problems much more relevant than news about Lenovo's.

Re:Why doesn't Slashdot report on systemd's bugs?

All that ends up happening is that negative systemd posts get nuked to hell, replaced with sensible post about how this was fixed in 2xx version of systemd, or via this and this configuration setting and how people don't really give a shit anymore.

Re:Why doesn't Slashdot report on systemd's bugs?

https://github.com/systemd/systemd/issues?q=is%3Aopen+is%3Aissue

Have fun!

Re:Why doesn't Slashdot report on systemd's bugs?

I like this one:

https://github.com/systemd/systemd/issues/717

An empty config file behaves differently than a file with everything commented out. Shit engineering.

Re:Why doesn't Slashdot report on systemd's bugs?

[malditaenvidia]

Most of us here do not have Lenovo laptops, and never will.

Speak for yourself, I'd never buy anything else.
Protip: Lenovo makes those thinkpad computer machine thingies.

Re:Why doesn't Slashdot report on systemd's bugs?

The GP is talking about Slashdot, and you link to GitHub. Do you realize that they're two separate sites?

Re:Why doesn't Slashdot report on systemd's bugs?

[TeknoHog]

Ditto. I use Gentoo on a Thinkpad, so no systemd or *doze tools to worry about.

Re:Why doesn't Slashdot report on systemd's bugs?

[armanox]

Not only that, but ThinkPads are usually pretty good systems (I'm still using a Thinkpad 600E running Slackware and Windows XP as a thin client and serial terminal. I wouldn't mind getting a slightly newer system, but from before they switched to the chicklet keyboard).

Re:Why doesn't Slashdot report on systemd's bugs?

[Teun]

Hmm, the Thinkpad W and T lines of Lenovo are among the most 'compatible' laptops out there.

. Earlier crap like their intrusive ads were a specific Windows thread and the Linux community would shake it's head.
This Thinkvantage stuff is again a Windows specific problem, a good reason for the OEM's to supply these updates as stand-alone packages, if it has to be with a DR-DOS or similar OS.

Enough with the proprietary ...

[gstoddart]

Time and time again these companies roll their own version of something, and time and time again it proves to be a failure.

Let the OS maker build the tools to manage the OS, this way when that is found to be defective we all get the same update.

This is one of the reasons I utterly hate OEM installs, because they put so much extra garbage on the machine as to render it almost useless.

My mother-in-law's laptop needed to have about a dozen or so "helpers" (ie shitware) disabled to make the machine usable, otherwise it was spending most of its time trying to see if it could be helpful and perform tasks which were already done.

Make a good quality laptop, and sell it to us. Make sure to write drivers for your stuff, and if you can't do that use someone's stuff which does have drivers.

And then leave the rest of the damned OS alone.

Just because someone in marketing wants to brand the experience and differentiate the product doesn't mean you're actually capable of delivering on this.

As often as not these "helpful" tools cause more problems than they could ever hope to fix.

Re:Enough with the proprietary ...

[drinkypoo]

Let the OS maker build the tools to manage the OS, this way when that is found to be defective we all get the same update.

Certainly, some vendors provide drivers to Microsoft, who then goes on to provide them to us via this mechanism. But that only covers drivers in any case, and perhaps you could get them to deliver BIOS updates; but Microsoft Update is only for Microsoft software, so in Windows the vendor has no choice but to roll their own update delivery mechanism for their crapware. (Arguments about crapware are outside the scope of this comment, and boring anyway.)

Re:Enough with the proprietary ...

How about you don't even *install* an OS on it? We're smart enough to figure that out on our own. Try this:

"Well Mother Dearest, I can't get there to do the install for you until Sunday. Go ahead and download X or use Y DVD and see if you can figure out how. You can't really break anything."

You want to do a clean OS install anyhow.

Re:Enough with the proprietary ...

[Teun]

Yes that would be nice, to forbid this sale of a computer + OS as an inseparable package.
The manufacturer can sell the OS as an add-on and we as consumers can decide to take it or ignore it.
A good manufacturer would for a competitive price offer an auto starting disk or USB drive that would just require a simple boot up and ask for a user name and password.

Cuz few ACTUAL HUMANS use it

Millions use Lenovo. 100:1 compared to your class. Does /. consume space only to cover what 99.999% have no interest in seeing? NO! NO!

Return to your master, slave!

StinkPad

[Impy+the+Impiuos+Imp]

> ThinkVantage

Makes me think the marketing people are robot phoning it in.

Why isn't a universal update tool built into Win?

[HalAtWork]

Shouldn't ALL of the updating be done through Windows update? Drivers and BIOS seems pretty important! Not only that but there are plenty of apps that have their own updating systems, that each run on their own schedule and trigger at different times and installs happen not all at once. How are you ever sure everything is completely up to date without checking in 20 different places?

Re:Why isn't a universal update tool built into Wi

Why? Because Windows is not UNIX and Microsoft is clueless about security.

Re:Why isn't a universal update tool built into Wi

[RogueyWon]

I'm not sure that I want Windows update managing BIOS updates. Certainly not with the new "forced updates" system for all bar corporate clients that comes with Windows 10.

A BIOS update that goes wrong is something that can brick your system and require a hardware intervention to resolve. The idea of my PC doing one automatically while I'm out at work sends a cold shiver down my spine.

I'm generally unhappy about forced video-card update, as it's not unknown, in a world where Nvidia driver releases are timed and optimised for the latest big-name release, for new versions to cause sometimes-serious issues with older games or even OS-stability issues. But at least with a video card driver update, you can always, in the worst case, boot into safe mode and roll back (even on Win10 Pro, I can do this and then defer the update to the bad version for long enough that a new one supersedes it).

I'm religious about keeping my OS, drivers (barring the point on video card drivers above), browser and other programs up to date. But BIOS updates are something I do only if I absolutely have to in order to fix a specific problem. I don't want them rolling into Windows Update.

You think this was a mistake?

[nickweller]

"For the third time in less than six months security issues have forced Lenovo to update one of the tools preloaded on its PCs"

You think this was a mistake. I figure a certain three letter agency is engaged in inserting back-doors on all the connected devices on the planet.

Re:You think this was a mistake?

You think this was a mistake. I figure a certain three letter agency is engaged in inserting back-doors on all the connected devices on the planet.

I'm sure a lot of people will immediately consider this as falling in the "whacky conspiracy theorist" category, but these days it's a real possibility.

Lenovo may not even be the ones driving this, they may be blissfully unaware that they have employees in the employ of some TLA (it's already happened with other companies and groups) or they may be cooperating sub rosa. Or it might just be genuinely crappy software. Hell, it might be some or all of the above, these days there's really no way to know.

Five or ten years ago I would have scoffed at this idea with derision, but with recent revelations regarding the involvement of various spy agencies in major industries and working groups I really have to step back and consider that there might really be some sort of "outside forces" in play here.

It's no longer the province of the kooky conspiracy folks. Look at all the stuff Snowden revealed, look at the now-proven subversion of Cisco gear, and then take a moment to ponder just how much other stuff hasn't come to light.

Re:You think this was a mistake?

bugs intentionally introduced by lenovo, a chinese-owned (including partially by their government), were patched because the 'three letters" discovered them, and the chinese didn't want their exploits used against them by the u.s. and its 5 eyes allies.

The real culprit: Microsoft

Lenovo has been on the shitstorm scene for a while, which is really sad given the excellent built of their thinkpad series. But regardless of that, I think the real culprit here is Microsoft. It is time for Microsoft to stop allowing OEM installs of their operating systems, if you want to put a windows computer out their, you do an MS install or none at all.

Too late

[tgrigsby]

Does it matter? It's not like anyone with any awareness is going to buy their crap anyway. I avoid them like that plague now, and I advise everyone I know to do the same.

Maybe they can try again next Christmas?

Re:Why isn't a universal update tool built into Wi

[HalAtWork]

If you're a corporation surely you're not relying on Windows Update anyway? For end users, it should really not be something they have to think about. If video card manufacturers can't push out reliable updates that's another separate problem with QA. Yeah I agree about bios updates but I assume if Lenovo was willing to push one out to end users it must be critical?

Re:Why isn't a universal update tool built into Wi

That's like asking why isn't there a universal Android phone update tool. The answer is simple. Unless the manufacturer is the exclusive provider and chooses what hardware is offered, like Apple does, it's impossible to prevent third parties from using whatever hardware and drivers they want which makes centralized universal updates for hardware (and maybe the software too) impossible. Google has the same problem which is why the sell their "Nexus" line of phones for those who want a "pure" android software/hardware experience without third party nonsense and bloatware.

Re:Why isn't a universal update tool built into Wi

[armanox]

Considering I've seen Windows Update grab the wrong drivers, I actually don't like letting Windows do it itself. Not to mention how many users would get bricked with a BIOS update gone wrong.

At my last job, we did have a tool that pushed application updates (Flash player, vSphere client, etc) to everyone's computers along with Windows updates.