After the US Computer Emergency Readiness Team (US-CERT) called pre-installed Superfish “a critical vulnerability affecting Lenovo consumer personal computers,” several lawsuits leveled against Lenovo and adware maker Superfish were filed. Lenovo's chief technology officer admitted, “We messed up badly.” But that almost seems like a mantra for Lenovo lately as the company is again in the news over a security snafu.

3 new security holes in Lenovo System Update

IOActive reported discovering three “high” severity security vulnerabilities in Lenovo System Update 5.6.0.27 and earlier versions. Lenovo’s System Update service was meant to keep users patched with the latest software and drivers, but IOActive found privilege escalation vulnerabilities in Lenovo’s service.

CVE-2015-2219 could allow local, least-privileged users to “run commands as the System user.” CVE-2015-2234 could allow local, unprivileged users to “run commands as an administrative user.” CVE-2015-2233 could allow local and potentially even remote attackers “to bypass signature validation checks and replace trusted Lenovo applications with malicious apps.” IOActive researchers Michael Milvich and Sofiane Talmat (pdf) added, “Arbitrarily executing commands sent by a malicious unprivileged user represents a massive security risk.”

Regarding CVE-2015-2233, they explained:

The System Update downloads executables from the internet and runs them. As a security measure Lenovo signs its executables and checks the signature before running them, but unfortunately does not completely verify them. As a result, an attacker can create a fake certificate authority which can then be used to sign executables. Remote attackers who can perform a man-in-the-middle attack (the classic coffee shop attack) can exploit this to swap Lenovo's executables with a malicious executable.

The security issues were cleared up when “Lenovo released an updated version of Lenovo System Update” in April, Lenovo told SC Magazine. The company’s security advisory said all ThinkPad, ThinkCenter, ThinkStation and Lenovo V/B/K/E Series might have been impacted by the multiple “medium” severity vulnerabilities. To be protected, users need to make sure the Lenovo System Update app was updated. Lenovo included instructions on how to make sure the patch was deployed as well as how to manually update.

Lenovo says no defect in LaVie Z 360s, just typos in the product description

More bad PR problems for Lenovo emerged after Consumer Reports purchased a Lenovo LaVie Z 360 laptop that was introduced at CES 2015. Lenovo’s website shows “the LaVie Z 360 working in several modes—laptop, tablet, tent, and stand—just like many convertible computers. The computer was also notable for its feathery weight. It was just 2.04 pounds, and very thin at 0.67 inches.” But after ordering it, Consumer Report received an email from Lenovo saying it had made “a couple missteps” in its "haste to bring the product to market."

When the laptop is in Tent Mode, users see an “upside-down image.” Lenovo’s email said it can be fixed via Windows commands, but “this is not a great user experience.” Additionally, when in Stand Mode the keyboard doesn’t deactivate. There’s isn’t a firmware fix as the problem seems to be hardware-related. An unhappy Consumer Reports reporter said Lenovo shipped the computers “as is – while refunding 5% of the cost.”

Lenovo claims there is no defect in the device; instead, the company blames a clerical error on the LaVie Z 360’s product page. SlashGear reported, “The error wasn't in the device but in the product information that was put up on the LaVie Z 360 web page that misled people to believe that the device was indeed capable of four modes.” The company has since updated its product page to be more accurate. Lenovo is sorry, again, but this time for not conveying its apology about LaVie capabilities.

Did you contact Lenovo about receiving Superfish-free recovery media?

Although the company provided a Superfish removal tool, Superfish could reappear after users reinstalled Windows from their recovery partition. Last month Lenovo confirmed it would ship recovery media for free. It’s on consumers, however, to contact the company to check eligibility as Lenovo is not shipping the recovery media in bulk to all affected users.

Lenovo layoffs

Lastly, it’s been reported that Lenovo will axe former IBM employees today.

Three months ago, “ridiculous” and “baseless” was what IBM called a report that claimed it would lay off one in four workers. Former IBM employees setup a “jobs cut” website that kept track of employees who received notification of being laid off. Then today, WRAL TechWire reported Lenovo would start laying off former IBM workers at Research Triangle Park in North Carolina.

Unnamed sources told WRAL that the “primary targets of the job cuts are former IBM employees who were transferred to Lenovo last September when the deal in which Lenovo bought IBM’s lower-end x86 server business closed.” The layoffs were expected to happen in March, but Lenovo said there were no layoffs to report. Unnamed office managers allegedly claimed the cut list was ready last week; key performance indicators (KPIs) were discussed on Friday “to let employees digest the bad news over Mother's Day weekend.”

“The morale is horrible, but at least the wait is almost over,” WRAL was told. “Every conference room is reserved the entire day for executives" on Monday and “workers say employees were told last week that those being let go would be told Monday” (today). It remains to be seen if this is true.