TellYouThePass ransomware revived in Linux, Windows Log4j attacks
Google Calendar now lets you block invitation phishing attempts
Credit card info of 1.8 million people stolen from sports gear sites
All Log4j, logback bugs we know so far and why you MUST ditch 2.15
TellYouThePass ransomware revived in Linux, Windows Log4j attacks
Get your own virtual desktop with 54% off Shells subscriptions
Credit card info of 1.8 million people stolen from sports gear sites
CISA urges VMware admins to patch critical flaw in Workspace ONE UEM
Qualys BrowserCheck
Junkware Removal Tool
How to remove the PBlock+ adware browser extension
Remove the Search Redirect
Remove the Search Redirect
Remove the Search Redirect
Remove Security Tool and SecurityTool (Uninstall Guide)
How to remove Antivirus 2009 (Uninstall Instructions)
How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo
How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller
Locky Ransomware Information, Help Guide, and FAQ
CryptoLocker Ransomware Information Guide and FAQ
CryptorBit and HowDecrypt Information Guide and FAQ
CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ
How to make the Start menu full screen in Windows 10
How to install the Microsoft Visual C++ 2015 Runtime
How to open an elevated PowerShell Admin prompt in Windows 10
How to Translate a Web Page in Google Chrome
How to start Windows in Safe Mode
How to remove a Trojan, Virus, Worm, or other Malware
How to show hidden files in Windows 7
How to see hidden files in Windows
IT Certification Courses
Gear + Gadgets
Lenovo laptop
Lenovo laptops, including ThinkPad and Yoga models, are vulnerable to a privilege elevation bug in the ImControllerService service allowing attackers to execute commands with admin privileges.
The flaws are tracked as CVE-2021-3922 and CVE-2021-3969 and affect the ImControllerService component of all Lenovo System Interface Foundation versions below When viewing the Windows services screen, this service has a display name of “System Interface Foundation Service.”
The particular service is a component of Lenovo System Interface Foundation, which helps Lenovo devices communicate with universal apps like Lenovo Companion, Lenovo Settings, and Lenovo ID. The service is preinstalled by default on numerous Lenovo Models, including Yoga and ThinkPad devices.
“The Lenovo System Interface Foundation Service provides interfaces for key features such as: system power management, system optimization, driver and application updates, and system settings to Lenovo applications including Lenovo Companion, Lenovo Settings and Lenovo ID,” reads the description of the Windows service.
“If you disable this service, Lenovo applications will not work properly.”
The discovery of the vulnerabilities was the work of researchers at NCC Group, who reported their findings to Lenovo on October 29, 2021.
The computer maker released the security updates on November 17, 2021, while the relevant advisory was published on December 14, 2021.
Because ImController needs to fetch and install files from Lenovo servers, execute child processes, and perform system configuration and maintenance tasks, it runs with SYSTEM privileges.
SYSTEM privileges are the highest user rights available in Windows and allow someone to perform almost any command on the operating system. Essentially, if a user gains SYSTEM privileges in Windows, they gain complete control over the system to install malware, add users, or change almost any system setting.
This Windows service will spawn further child processes, which open named pipe servers that the ImController service used to communicate with the child process. When ImController needs one of these services to execute a command, it will connect to the named pipe and issue XML serialized commands that should be executed.
Unfortunately, the service doesn’t handle the communications between privileged child processes securely and fails to validate the source of XML serialized commands. This means that any other process, even malicious ones, can connect to the child process to issue their own commands.
As such, an attacker leveraging this security gap can send an instruction to load a ‘plugin’ from an arbitrary location on the filesystem.
“The first vulnerability is a race condition between an attacker and the parent process connecting to the child process’ named pipe,” explains NCC Group
“An attacker using high-performance filesystem synchronization routines can reliably win the race with the parent process to connect to the named pipe.”
The researchers underline that their proof of concept code never failed to connect to the named pipe before the parent service could do so, which means the exploit is very reliable.
The second flaw is a time-of-check to time-of-use (TOCTOU) vulnerability which enables an attacker to stall the loading process of a validated ImControllerService plugin and replace it with a DLL of their choosing.
Once the lock is released and the loading procedure continues, the DLL is executed, leading to privilege escalation.
All Windows users with Lenovo laptops or desktops running the ImController version or older are advised to upgrade to the latest available version (
To determine what version you’re running, follow these steps:
Removing the ImController component, or the Lenovo System Interface Foundation, from your device is not officially recommended because it may affect some functions on your device, even if it’s not considered essential.
All Windows versions impacted by new LPE zero-day vulnerability
Attackers can get root by crashing Ubuntu’s AccountsService
CISA urges VMware admins to patch critical flaw in Workspace ONE UEM
All Log4j, logback bugs we know so far and why you MUST ditch 2.15
Log4j attackers switch to injecting Monero miners via RMI
Two things:
1. In the course of checking our Lenovo fleet, I did notice that ImController version was installed on our M710e (10UR001LUS) desktops and as such is not limited to laptops.
2. Is Lenovo recommending an installation course being that this is not currently available via Lenovo Vantage or Lenovo System Update?
Answered my own question to part 2:
“Mitigation Strategy for Customers (what you should do to protect yourself):

Update the IMController component of Lenovo System Interface Foundation to version

The Lenovo IMController software component is automatically updated by the Lenovo System Interface Foundation Service. To immediately start the update process, reboot the computer or restart the “System Interface Foundation Service” service.

To verify the Lenovo IMController version:

Open File Explorer and navigate to C:WindowsLenovoImControllerPluginHost
Right click on Lenovo.Modern.ImController.PluginHost.exe and select Properties.
Click on the Details tab.
Read the File version.”

Just took a little longer for me to find.
Thanks for sharing the info, @bluto4x.
Not a member yet? Register Now
Large-scale phishing study shows who bites the bait more often
Sites hacked with credit card stealers undetected for months
To receive periodic updates and news from BleepingComputer, please use the form below.
Malwarebytes for Mac
Malwarebytes Anti-Malware
Farbar Recovery Scan Tool
Windows Repair (All In One)
Terms of Use Privacy PolicyEthics Statement
Copyright @ 2003 – 2021 Bleeping Computer® LLC – All Rights Reserved
Not a member yet? Register Now
Read our posting guidelinese to learn what content is prohibited.