Lenovo Fingerprint Reader Software Failed to Properly Secure Credentials
Lenovo is advising users of ThinkPad, ThinkCentre and ThinkStation business computers to install a new version of its fingerprint management software to fix a security issue that could expose credentials and authentication data.
“Sensitive data stored by Lenovo Fingerprint Manager Pro, including users’ Windows logon credentials and fingerprint data, is encrypted using a weak algorithm, contains a hard-coded password, and is accessible to all users with local non-administrative access to the system it is installed in,” Lenovo said in an advisory.
The company has fixed the issue in Fingerprint Manager Pro 8.01.87, released in December, although the changelog doesn’t make that clear. The only change listed for the new version is: “All binaries digitally signed with Softex certificate and will show sha256 as digest algorithm.”
Lenovo Fingerprint Manager Pro is a utility for systems running Windows 7, 8 or 8.1 that allows users to authenticate on their PCs and on various websites using the fingerprint reader of their Lenovo computers. Windows 10 provides its own component for managing fingerprint readers, so users shouldn’t have Lenovo’s software installed on such systems.
This is not the first time when a security vulnerability has been found in Lenovo’s fingerprint software. In March 2016, the company fixed a privilege escalation vulnerability in the same package that could have allowed attackers to execute malicious code with administrator privileges.
Microsoft Releases Out-of-Band Update to Disable Spectre Mitigation
Microsoft has released an unscheduled update for Windows systems to disable the mitigation released earlier this month for one of the two Spectre attack variants affecting CPUs. The decision comes after Intel confirmed that its CPU microcode patch for Spectre variant 2 can cause system reboots and other unpredictable behavior.
“Our own experience is that system instability can in some circumstances cause data loss or corruption,” Microsoft said in a support document. “While Intel tests, updates and deploys new microcode, we are making available an out of band update today, KB4078130, that specifically disables only the mitigation against CVE-2017-5715 – ‘Branch target injection vulnerability.’ In our testing this update has been found to prevent the behavior described.”
Spectre variant 2, also known as branch target injection, requires a microcode patch that adds a new mechanism to the CPU’s instructions as well as an OS-level patch that uses that allows Windows to use the new mechanism. What Microsoft does with this update is to disable the OS-level mitigation, which should prevent reboots even if the faulty microcode has been applied through the BIOS.
Intel confirmed the problems introduced by its microcode update for Broadwell and Haswell CPUs last week and said that an improved fix that was shared with computer manufacturers for testing. OEMs, including HP, Dell and Lenovo, withdrew their previously released BIOS/UEFI updates that included the buggy microcode and are expected to release new versions with the improved fix once testing is complete.
Instead of deploying the KB4078130 update, system administrators can disable the Windows mitigation for Spectre variant 2 by changing special registry keys described in previous Microsoft support documents. This can be automated in enterprise environments to disable the patch on a large number of computers.
“As of January 25, there are no known reports to indicate that this Spectre variant 2 (CVE 2017-5715 ) has been used to attack customers,” Microsoft said. “We recommend Windows customers, when appropriate, reenable the mitigation against CVE-2017-5715 when Intel reports that this unpredictable system behavior has been resolved for your device.”
Microsoft has previously halted the distribution of Spectre variant 2 patches on systems with AMD CPUs because they were also causing instability. The company later resumed the updates after the cause was identified and resolved.
Pingback: Lenovo Fingerprint Reader Software Failed to Properly Secure Credentials | Atlantic Tagmata AI Security Feed