IT House December 18 news, according to foreign media reports, overseas security researchers found two security vulnerabilities in Lenovo Yoga, ThinkPad series of notebooks. This vulnerability is not a bug within Windows systems, but a flaw in OEM software. Security personnel found that hackers could use these two vulnerabilities to obtain privilege escalation, which made it easier to control the system.
The following are the details of the vulnerability:
CVE-2021-3922: A race condition vulnerability exists in imController, a component of the Lenovo System Interface Foundation. A local attacker can exploit this vulnerability to connect to and interact with a named pipe in the IMController child process.
CVE-2021-3969: This vulnerability also comes from the IMController component. A Time Check Vulnerability (TOCTOU) could allow a local attacker to elevate privileges.
Although these two vulnerabilities are local vulnerabilities, an attacker can also remotely connect to a computer through other means and exploit the vulnerability. Fortunately, Lenovo has provided an update for the Lenovo System Interface Foundation that can fix the IMController after upgrading it to version 1.1.20.3.
According to IT Home, this update will be pushed automatically, and users can also get the update by restarting the computer or restarting the "System Interface Foundation Service" service.
To check the current version number of Lenovo IMController, you can do the following:
Open File Explorer and go to the C:\Windows\Lenovo\ImController\PluginHost\ directory.
Right-click lenovo.Modern.ImController.PluginHost.exe to open Properties.
Click on the "Details" tab.
View the program version number.
IT Home learned that as of now, the Lenovo System Interface Foundation software on Lenovo's official website has also been updated to the latest version, and the current version number is: 1.1.19.8.