Lenovo Patches Serious Vulnerabilities In PC System Update Tool

itwbennett writes: "For the third time in less than six months security issues have forced Lenovo to update one of the tools preloaded on its PCs," writes Lucian Constantin. Last week, the company released version 5.07.0019 of Lenovo System Update, a tool that helps users keep their computers' drivers and BIOS up to date and which was previously called ThinkVantage System Update. The new version fixes two local privilege escalation vulnerabilities discovered by researchers from security firm IOActive.

Re:We patched your patch

[drinkypoo]

The only real problem is the whole goddamned mindset of releasing these tools without extremely careful development and testing. Most tools can be flimsy but when they hit the network you have to take real care, and a lot of people seem to treat it like any other situation. It isn't. That's not to say that you can just start trusting inputs when you read a file from disk or anything, but pretending that the network isn't fundamentally different is just pretending.

A tool to download updates is a good idea. Having the vendor develop it isn't, which is just another reason why Linux package management beats the living crap out of Windows. If your vendor cares enough to integrate, they can deliver you updates in a secure and timely fashion without increasing your attack surface.

Re:We patched your patch

[drinkypoo]

A properly designed tool to download these updates is a great idea. But I have yet to see one that is properly designed.

A properly designed update tool should be:
- Able to check a "manifest" of already-applied updates. This does not require admin privileges.

I have yet to see a Linux (or indeed Unix) package tool which doesn't provide a mechanism to find out what version of a package is installed.

- Able to check an internet location for a "manifest" of available updates. This does not require admin privileges.

That's what e.g. apt does. You don't need root to do it, either. You can simulate all day without root.

- Able to compare the two manifests and determine if any further downloads are needed. This does not require admin privileges.

Apt will outright spit out the URLs for the downloads.

- Able to download any required updates as executable installer packages. This does not require admin privileges.

Why do they need to be executables? If there's a package management system there to handle the files? This is a red herring. Ignored.

- Able to launch any downloaded packages within the operating system. This does not require admin privileges.

Having printed the list of packages, and downloaded the packages, I can unpack them and do as I like with their contents.

You can probably do all this stuff with rpm without privilege elevation but I haven't had to deal with rpm in ages, so I can't speak to that.