Lenovo's status as a top corporate computer provider has hit another snag when it annouced that one of their Lenovo System Update app has some medium risk security flaw. Previously their laptops were preinstalled with an adware named Superfish which were downplayed by them. The latest flaw will indeed cause some panic among their loyal customers as other brands seem to have less of such issues.
Security researchers at IOActive said in an advisory detailing three separate vulnerabilities that hackers could bypass checks to ensure the integrity of apps, allowing them to run malware on an affected Lenovo machine. The flaw can be exploited when the attacker create a fake (certificate authority) to create a code-signing certificate to sign executables. The System Update will accept and execute the files with priviledged rights and this affects most ThinkPad, ThinkCenter, and ThinkStation products, along with V, B, K, and E-series machines.\
The patch can be found here. I do advise corporate customers to consider updating this fix to minimize the impact it might cause to the corporate infrastructure.