5 members / 145 guests (24 hours)
$0.04
$0.00 (0.00%)
High: $0.00
Low: $0.00
Volume: 0

An Interesting IDB update! And how IDB got even faster.  IDB is fast, reliable, and FREE to use. Just join and start posting!

Lenovo Says It Shipped A Hackable Fingerprint Manager With Its Laptops

Lenovo laptops with Windows 7, 8, and 8.1 have a comparable solution to Windows Hello (in Windows 10) in Wave ESC, and Wave VSC 2.0.  The sensitive information could be stored in the TPM (hardware) using those products.  imo.

 

https://fossbytes.com/lenovo-thinpad-laptops-shipped-vulnerable-fingerprint-sensor-patch-available/

 

In case you’re running a Lenovo business machine with a built-in fingerprint sensor, you might want to install the latest security patch issued by the company.

 

According to a security advisory published last week, the Lenovo Fingerprint Manager Pro software on many ThinkPad, ThinkCentre, and ThinStation systems contains a critical local privilege escalation vulnerability (CVE-2017-3762).

 

The software stores sensitive information such as user’s biometric data and Windows login credentials. But the data is encrypted with a weak algorithm and also contains a hard-coded password which can be accessed by all users. An attacker can view login credentials and fingerprint data, but it requires physical access to the system.

The vulnerability currently affects Lenovo ThinkPad systems running Windows 7, 8, 8.1 operating system. The list includes:

  • ThinkPad L560
  • ThinkPad P40 Yoga, P50s
  • ThinkPad T440, T440p, T440s, T450, T450s, T460, T540p, T550, T560
  • ThinkPad W540, W541, W550s
  • ThinkPad X1 Carbon (Type 20A7, 20A8), X1 Carbon (Type 20BS, 20BT)
  • ThinkPad X240, X240s, X250, X260
  • ThinkPad Yoga 14 (20FY), Yoga 460
  • ThinkCentre M73, M73z, M78, M79, M83, M93, M93p, M93z
  • ThinkStation E32, P300, P500, P700, P900

Lenovo has released a patch to fix the same. The Fingerprint Manager Pro should be updated to version 8.01.87 (download here) or above

 

Users running Windows 10 can rest assured as the vulnerability doesn’t pose any threats to their machines, Lenovo updated the advisory yesterday. Windows 10 users don’t need to install the fingerprint manager update either. The reason these devices aren’t affected is due to the fact that they use Windows Hello which is Microsoft’s home-baked fingerprint recognition software.