This year has proved to be a bumpy one for China-based Lenovo, whose computers were again found to contain several security Relevant Products/Services vulnerabilities. The latest three "high" severity vulnerabilities were discovered in February by researchers at IOActive.

Earlier this year, Lenovo's consumer notebooks were found to include preloaded adware called Superfish that could compromise users' data Relevant Products/Services. The company apologized for including the software on its devices and pledged to eliminate any "bloatware" on future computers.

The three latest vulnerabilities were discovered by IOActive researchers Michael Milvich and Sofiane Talmat, who then notified Lenovo about the problems. Lenovo released patches for all three issues on April 3.

All ThinkPads, Other Devices Affected

Lenovo is the world's largest maker of consumer PCs. In releasing its shipment figures for the first quarter of 2015 last month, the company reported that it had a 19.6-percent share of the world market and had achieved a new record market share of 11.8 percent in the U.S.

The company released a statement on Wednesday saying its development and security teams had been working with IOActive to address the latest vulnerabilities, and had updated its Lenovo System Update on April 1.

While the System Update should prompt users to automatically install a new program to resolve the latest vulnerabilities, users can also run the updater manually. Among the devices that might have been affected by the flaws discovered by IOActive are all ThinkPads, all ThinkCentres, and all ThinkStations as well as computers in the Lenovo V/B/K/E series.

When Lenovo issued its apology earlier this year, it noted that the Superfish incident Relevant Products/Services reinforced the principle that "customer Relevant Products/Services experience, security and privacy must be our top priorities . . . Our goal is clear: To become the leader in providing cleaner, safer PCs."

'Massive Security Risk'

In their technical analysis, Milvich and Talmat describe three vulnerabilities, all of which affected Lenovo's previous version of its System Update. Those flaws included the use of a predictable security token, the presence of signature validation errors and a so-called "race condition" in which multiple operations Relevant Products/Services that need to be performed in a certain sequence "race" one another to complete.

With the Lenovo System Update race condition, two executables were competing: verification of the signature and execution of the saved executable. This opened up the system to the possibility that a local attacker could run malicious code instead of the intended executable without encountering privilege problems. Such an attack Relevant Products/Services could allow a hacker to gain elevated permissions to access a user's system, Milvich and Talmat noted.

The other two vulnerabilities that IOActive identified included the use of a predictable security token that could allow a malcious, unprivileged user to arbitrarily execute commands during system updates, which "represents a massive security risk," Milvich and Talmat said. Another flaw with signature validation could allow hackers to "bypass signature validation checks and replace trusted Lenovo applications with malicious applications," they added.