Lenovo has patched two serious vulnerabilities in Lenovo System Update that can allow hackers to elevate privileges and guess admin passwords. Details were disclosed Tuesday by researchers at IOActive, who privately reported the flaws in October. The vulnerabilities were patched last Thursday by the manufacturer and details were disclosed by researchers. Both vulnerabilities were found in the Lenovo system Update version 5.07.0013, which fetches updates from Lenovo support. An attacker can elevate to admin privileges on a Lenovo computer by taking advantage of a weakness in a password-generation algorithm to guess the username and password of temporary administrator account.
Source: https://threatpost.com/lenovo-patches-vulnerabilities-in-system-update-service-2/115482/