Do you own a Lenovo Yoga or ThinkPad laptop? If so be advised that a pair of critical security flaws have recently been found that could allow an attacker Admin level access to your machine.
The flaws are centered in the IMControllerService and are being tracked as CVE-2021-3922 and CVE-2021-3969. They impact all Lenovo System Interface Foundations versions below 1.1.20.3.
According to the Windows description of the service:
"The Lenovo System Interface Foundation Service provides interfaces for key features such as: system power management, system optimization, driver and application updates, and system settings to Lenovo applications including Lenovo Companion, Lenovo Settings and Lenovo ID."
Unfortunately, that means that simply disabling the service is not an option. Since it is so tightly woven into the fabric of these machines disabling it will essentially render your laptop nonfunctional. At the very least it may stop several key features of your machine from working properly.
Researchers from NCC Group who discovered the vulnerabilities explain them this way:
"The first vulnerability is a race condition between an attacker and the parent process connecting to the child process' named pipe.
An attacker using high-performance filesystem synchronization routines can reliably win the race with the parent process to connect to the named pipe."
They went on to explain that the second flaw was centered around a "time of check to time of use" vulnerability. That allows an attacker to interrupt the loading process of a validated ImControllerService plugin and replace it with a DLL of the attacker's choosing.
The good news is that Lenovo moved quickly and as of December 14th, 2021 the issue has been resolved. If you have one of the laptops mentioned above or some other model that makes use of the ImControllerService be sure to download the latest updates from Lenovo in to plug the hole in your machine's security. Kudos to Lenovo for their swift response!
________________________________________________________________________________________________________
STOP OVERPAYING for CABLE and Netflix!
TeQ I.Q. Service works on "Apple, Android, Roku, Amazon, Computers, and more"
"We Now have TeQ I.Q. VOD+(Video On Demand) The Best VOD Service!
"If you have Netflix or any other VOD Service you should switch to TeQ I.Q. VOD+ Service"
It is better than Netflix with 5 Connections and 4K and 3D included. Better than all other VOD services with Over 30,000 Movies, including New In Theatre Movies, Over 10,000 TV Series and growing. TeQ I.Q. VOD+ adds Movies and TV Series on Request.
Check out our TeQ I.Q. Services at https://www.teqiq.com/tv
We are giving a Free in Person TeQ Seminar at our office in La Mesa every Wednesday from 12pm-1pm and a Free TeQ Support Q&A from 1pm-2pm. Go to https://www.teqiq.com/events for our upcoming Events and https://www.teqiq.com/seminars for info on each Seminar.
For Free Consultation Call Now Robert Black at (619) 255-4180 or visit our website https://www.teqiq.com/
Chase Bank and Others Trust TeQ I.Q. with their IT and TeQnology so can you!
