Lenovo Patches Serious Vulnerabilities In PC System Update Tool

itwbennett writes: "For the third time in less than six months security issues have forced Lenovo to update one of the tools preloaded on its PCs," writes Lucian Constantin. Last week, the company released version 5.07.0019 of Lenovo System Update, a tool that helps users keep their computers' drivers and BIOS up to date and which was previously called ThinkVantage System Update. The new version fixes two local privilege escalation vulnerabilities discovered by researchers from security firm IOActive.

We patched your patch

[JustAnotherOldGuy]

So they patched the vulnerable tool that was supposed to fix vulnerabilities, and probably introduced some more vulnerabilities along the way. Bravo!

Dear Lenovo, please stop. Any more 'help' like this and you'll be the death of me.

Re:We patched your patch

[drinkypoo]

The only real problem is the whole goddamned mindset of releasing these tools without extremely careful development and testing. Most tools can be flimsy but when they hit the network you have to take real care, and a lot of people seem to treat it like any other situation. It isn't. That's not to say that you can just start trusting inputs when you read a file from disk or anything, but pretending that the network isn't fundamentally different is just pretending.

A tool to download updates is a good idea. Having the vendor develop it isn't, which is just another reason why Linux package management beats the living crap out of Windows. If your vendor cares enough to integrate, they can deliver you updates in a secure and timely fashion without increasing your attack surface.

Re:We patched your patch

[Teckla]

The real problem, in my opinion, is that most companies simply don't take software development seriously.

Companies want software done cheap and fast, and the result is entirely predictable: buggy, unstable, insecure software.

Why doesn't Slashdot report on systemd's bugs?

If Slashdot is going to report on every little bug that affects software that comes with Lenovo laptops, then Slashdot should also report on every bug that affects systemd, which comes with pretty much every single modern Linux installation.

Most of us here do not have Lenovo laptops, and never will. But most of us here do run Linux, and have been negatively affected by systemd. We find news about systemd's problems much more relevant than news about Lenovo's.

Enough with the proprietary ...

[gstoddart]

Time and time again these companies roll their own version of something, and time and time again it proves to be a failure.

Let the OS maker build the tools to manage the OS, this way when that is found to be defective we all get the same update.

This is one of the reasons I utterly hate OEM installs, because they put so much extra garbage on the machine as to render it almost useless.

My mother-in-law's laptop needed to have about a dozen or so "helpers" (ie shitware) disabled to make the machine usable, otherwise it was spending most of its time trying to see if it could be helpful and perform tasks which were already done.

Make a good quality laptop, and sell it to us. Make sure to write drivers for your stuff, and if you can't do that use someone's stuff which does have drivers.

And then leave the rest of the damned OS alone.

Just because someone in marketing wants to brand the experience and differentiate the product doesn't mean you're actually capable of delivering on this.

As often as not these "helpful" tools cause more problems than they could ever hope to fix.