Lenovo Patches Serious Vulnerabilities In PC System Update Tool

itwbennett writes: "For the third time in less than six months security issues have forced Lenovo to update one of the tools preloaded on its PCs," writes Lucian Constantin. Last week, the company released version 5.07.0019 of Lenovo System Update, a tool that helps users keep their computers' drivers and BIOS up to date and which was previously called ThinkVantage System Update. The new version fixes two local privilege escalation vulnerabilities discovered by researchers from security firm IOActive.

Re:We patched your patch

[drinkypoo]

The only real problem is the whole goddamned mindset of releasing these tools without extremely careful development and testing. Most tools can be flimsy but when they hit the network you have to take real care, and a lot of people seem to treat it like any other situation. It isn't. That's not to say that you can just start trusting inputs when you read a file from disk or anything, but pretending that the network isn't fundamentally different is just pretending.

A tool to download updates is a good idea. Having the vendor develop it isn't, which is just another reason why Linux package management beats the living crap out of Windows. If your vendor cares enough to integrate, they can deliver you updates in a secure and timely fashion without increasing your attack surface.