Lenovo Patches Serious Vulnerabilities In PC System Update Tool (csoonline.com) 38
itwbennett writes: "For the third time in less than six months security issues have forced Lenovo to update one of the tools preloaded on its PCs," writes Lucian Constantin. Last week, the company released version 5.07.0019 of Lenovo System Update, a tool that helps users keep their computers' drivers and BIOS up to date and which was previously called ThinkVantage System Update. The new version fixes two local privilege escalation vulnerabilities discovered by researchers from security firm IOActive.
We patched your patch (Score:5, Funny)
So they patched the vulnerable tool that was supposed to fix vulnerabilities, and probably introduced some more vulnerabilities along the way. Bravo!
Dear Lenovo, please stop. Any more 'help' like this and you'll be the death of me.
Re:We patched your patch (Score:5, Interesting)
The only real problem is the whole goddamned mindset of releasing these tools without extremely careful development and testing. Most tools can be flimsy but when they hit the network you have to take real care, and a lot of people seem to treat it like any other situation. It isn't. That's not to say that you can just start trusting inputs when you read a file from disk or anything, but pretending that the network isn't fundamentally different is just pretending.
A tool to download updates is a good idea. Having the vendor develop it isn't, which is just another reason why Linux package management beats the living crap out of Windows. If your vendor cares enough to integrate, they can deliver you updates in a secure and timely fashion without increasing your attack surface.
Re: (Score:1)
A properly designed tool to download these updates is a great idea. But I have yet to see one that is properly designed.
A properly designed update tool should be:
- Able to check a "manifest" of already-applied updates. This does not require admin privileges.
- Able to check an internet location for a "manifest" of available updates. This does not require admin privileges.
- Able to compare the two manifests and determine if any further downloads are needed. This does not require admin privileges.
- Able to dow
Re: (Score:2, Interesting)
A properly designed tool to download these updates is a great idea. But I have yet to see one that is properly designed.
A properly designed update tool should be:
- Able to check a "manifest" of already-applied updates. This does not require admin privileges.
I have yet to see a Linux (or indeed Unix) package tool which doesn't provide a mechanism to find out what version of a package is installed.
- Able to check an internet location for a "manifest" of available updates. This does not require admin privileges.
That's what e.g. apt does. You don't need root to do it, either. You can simulate all day without root.
- Able to compare the two manifests and determine if any further downloads are needed. This does not require admin privileges.
Apt will outright spit out the URLs for the downloads.
- Able to download any required updates as executable installer packages. This does not require admin privileges.
Why do they need to be executables? If there's a package management system there to handle the files? This is a red herring. Ignored.
- Able to launch any downloaded packages within the operating system. This does not require admin privileges.
Having printed the list of packages, and downloaded the packages, I can unpack th
Re: (Score:1)
You're missing the point, probably intentionally. These vulnerabilities keep cropping up in Windows-based update tools. Thus every single concern posted above is valid. On a related topic, nobody gives a shit what your preferred Linux package manager does or why it does it, because it "just works" and has done so happily for the last 15 years. It's also entirely irrelevant to anyone that uses Windows.
And more specifically...
Re: (Score:2)
This is the one point that should never be ignored. If the updater has access to the raw files, then it has the job of actually installing them where they need to go, and it would need admin privileges for that. And since the entire point of the post was that the updater shouldn't have admin privileges, well, this isn't a red herring, and this shouldn't be ignored.
Well, no. The comment never actually insisted that you be able to install updates without privilege escalation. Go read it again! And frankly, the suggestion that you should be able to is a stupid one. There are lots of reasons why you shouldn't be able to do that, and I should not have to enumerate them here for you. If you have any IT experience at all, you should know what several of them are.
The idea of having executable installers is that the installer, not the downloader, has the onus placed upon it to ask for admin privileges.
Good news! You can download the packages without privilege escalation! The installer is a separate tool, which wo
Re:We patched your patch (Score:4, Insightful)
The real problem, in my opinion, is that most companies simply don't take software development seriously.
Companies want software done cheap and fast, and the result is entirely predictable: buggy, unstable, insecure software.
Re: (Score:1)
This particular one had to do with a rather obscure possibility of escalating privileges when using a system update tool and which would have required an actual account on the computer to even execute.
I'm sick of these people pooin
Re: (Score:2)
What's your point?
Re: (Score:1)
For example if you run a Linux system and keep it updated you will see a fairly constant stream of updates to packages on the system occurring all the time. Vulnerabilities are a drag but unfortunately they are just part of the landscape of IT infrastructure so I don't think its fair to make Lenovo look bad in this case.
I could go into
Re: (Score:2)
I have to admit, I get a certain amount of amusement when someone writes a long, serious, and well thought-out response to a joke comment of mine. It's enough to make me think that some of the people on slashdot might just be humor-impaired.
Re: (Score:2)
Probably not too far from the truth, here's excerpts from the changelog:
Why doesn't Slashdot report on systemd's bugs? (Score:5, Informative)
If Slashdot is going to report on every little bug that affects software that comes with Lenovo laptops, then Slashdot should also report on every bug that affects systemd, which comes with pretty much every single modern Linux installation.
Most of us here do not have Lenovo laptops, and never will. But most of us here do run Linux, and have been negatively affected by systemd. We find news about systemd's problems much more relevant than news about Lenovo's.
Re: (Score:1)
https://github.com/systemd/systemd/issues?q=is%3Aopen+is%3Aissue
Have fun!
Re: (Score:1)
I like this one:
https://github.com/systemd/systemd/issues/717
An empty config file behaves differently than a file with everything commented out. Shit engineering.
Re: (Score:1)
Speak for yourself, I'd never buy anything else.
Protip: Lenovo makes those thinkpad computer machine thingies.
Re: (Score:2)
Re: (Score:2)
Not only that, but ThinkPads are usually pretty good systems (I'm still using a Thinkpad 600E running Slackware and Windows XP as a thin client and serial terminal. I wouldn't mind getting a slightly newer system, but from before they switched to the chicklet keyboard).
Re: (Score:2)
. Earlier crap like their intrusive ads were a specific Windows thread and the Linux community would shake it's head.
This Thinkvantage stuff is again a Windows specific problem, a good reason for the OEM's to supply these updates as stand-alone packages, if it has to be with a DR-DOS or similar OS.
Enough with the proprietary ... (Score:5, Insightful)
Time and time again these companies roll their own version of something, and time and time again it proves to be a failure.
Let the OS maker build the tools to manage the OS, this way when that is found to be defective we all get the same update.
This is one of the reasons I utterly hate OEM installs, because they put so much extra garbage on the machine as to render it almost useless.
My mother-in-law's laptop needed to have about a dozen or so "helpers" (ie shitware) disabled to make the machine usable, otherwise it was spending most of its time trying to see if it could be helpful and perform tasks which were already done.
Make a good quality laptop, and sell it to us. Make sure to write drivers for your stuff, and if you can't do that use someone's stuff which does have drivers.
And then leave the rest of the damned OS alone.
Just because someone in marketing wants to brand the experience and differentiate the product doesn't mean you're actually capable of delivering on this.
As often as not these "helpful" tools cause more problems than they could ever hope to fix.
Re: (Score:2)
Let the OS maker build the tools to manage the OS, this way when that is found to be defective we all get the same update.
Certainly, some vendors provide drivers to Microsoft, who then goes on to provide them to us via this mechanism. But that only covers drivers in any case, and perhaps you could get them to deliver BIOS updates; but Microsoft Update is only for Microsoft software, so in Windows the vendor has no choice but to roll their own update delivery mechanism for their crapware. (Arguments about crapware are outside the scope of this comment, and boring anyway.)
Re: (Score:2)
The manufacturer can sell the OS as an add-on and we as consumers can decide to take it or ignore it.
A good manufacturer would for a competitive price offer an auto starting disk or USB drive that would just require a simple boot up and ask for a user name and password.
StinkPad (Score:1)
> ThinkVantage
Makes me think the marketing people are robot phoning it in.
Why isn't a universal update tool built into Win? (Score:2)
Shouldn't ALL of the updating be done through Windows update? Drivers and BIOS seems pretty important! Not only that but there are plenty of apps that have their own updating systems, that each run on their own schedule and trigger at different times and installs happen not all at once. How are you ever sure everything is completely up to date without checking in 20 different places?
Re: (Score:3)
I'm not sure that I want Windows update managing BIOS updates. Certainly not with the new "forced updates" system for all bar corporate clients that comes with Windows 10.
A BIOS update that goes wrong is something that can brick your system and require a hardware intervention to resolve. The idea of my PC doing one automatically while I'm out at work sends a cold shiver down my spine.
I'm generally unhappy about forced video-card update, as it's not unknown, in a world where Nvidia driver releases are timed
Re: (Score:2)
If you're a corporation surely you're not relying on Windows Update anyway? For end users, it should really not be something they have to think about. If video card manufacturers can't push out reliable updates that's another separate problem with QA. Yeah I agree about bios updates but I assume if Lenovo was willing to push one out to end users it must be critical?
Re: (Score:2)
Considering I've seen Windows Update grab the wrong drivers, I actually don't like letting Windows do it itself. Not to mention how many users would get bricked with a BIOS update gone wrong.
At my last job, we did have a tool that pushed application updates (Flash player, vSphere client, etc) to everyone's computers along with Windows updates.
You think this was a mistake? (Score:2)
You think this was a mistake. I figure a certain three letter agency is engaged in inserting back-doors on all the connected devices on the planet.
Too late (Score:2)
Does it matter? It's not like anyone with any awareness is going to buy their crap anyway. I avoid them like that plague now, and I advise everyone I know to do the same.
Maybe they can try again next Christmas?