Lenovo’s development and security teams worked directly with IOActive regarding their Lenovo System Update vulnerability findings, and we value their expertise in identifying and responsibly reporting them. Lenovo released an updated version of Lenovo System Update on April 1st, which resolves these vulnerabilities. We subsequently published a security advisory in coordination with IOActive at: https://support.lenovo.com/us/en/product_security/lsu_privilege.
Existing installations of Lenovo System Update will prompt the user to automatically install the updated version of the program when the application is run. Alternatively, users may manually update System Update as described in the security advisory. Lenovo recommends that all users update System Update to eliminate the vulnerabilities reported by IOActive. In general, Lenovo encourages its users to keep their systems up to date by allowing automatic updates to run when prompted.