SafeBreach reported the vulnerability in August and Lenovo pushed out a fix on Nov 19. It's important to note that a malicious actor would need administrator privileges on your laptop to exploit this vulnerability, so you should be protected as long as you don't let someone physically access your laptop. Lenovo posted a support page describing the vulnerability, which it deemed to be of "Medium" severity. In the past several months, SafeBreach has found similar DLL-injection vulnerabilities in HP and Dell computers, as well as in Bitdefender, Trend Micro, McAfee and Symantec antivirus software.
SafeBreach explains that the two root causes of the breach in security are that there is no digital certification validation and because of an untrusted DLL search order.
0 kommentar(er)
