Lenovo, the No. 1 PC manufacturer based on units sold, is being accused of a "massive security risk" that allows hackers to utilize a man-in-the-middle attack to download malware onto victims' systems. Security researchers at IOActive say the vulnerability allows hackers to download malware or hijack the systems themselves.
The flaw takes aim at ThinkPad, ThinkStation and ThinkCenter products, and B, E, K, and V-series models. Lenovo was first alerted to the issue in February, and was given time to release a patch - which was made available last month - before IOActive shared the news publicly.
"An attacker can create a fake [certificate authority] and use it to create a code-signing certificate, which can then be used to sign executables," according to the advisory. "Since the System Update failed to properly validate the certificate authority, the System Update will accept the executables signed by the fake certificate and execute them as a privileged user."
This newest security vulnerability follows just months after Lenovo faced heavy criticism for pre-installing the controversial Superfish adware - and the company later released a patch to help users remove.