14 DAY TRIAL // Lenovo has hid a crucial security update in an old security advisory from last year. The advisory details fixes for a vulnerability that, if exploited, could allow a malicious actor to take over the user's computer via the company's pre-installed junkware called the Lenovo Solution Center.
Lenovo users should now go to Lenovo's website and download the Lenovo Solution Center version 3.3.002 in order to patch their systems against the vulnerability identified as CVE-2016-1876.
Newest issue allows total device takeover
An unnamed security researcher from Trustwave discovered the issue, which is a local privilege escalation that allows an attacker to get elevated system access, which in turn allows him to execute code without restrictions on the machine. Depending on the attacker's skill level, he can very easily take over a user's device.
The Lenovo Solution Center is a software application that comes pre-installed on all Lenovo laptops and computers. The company designed it to help users manage their drivers, install necessary updates, or debug their computers.
Despite their best intentions, the software is rarely used, and very few users know of its presence. In industry circles, such built-in & rarely used software is often referred to as junkware or bloatware.
Lenovo has a history of security issues
This is not the first time security experts have found issues in Lenovo's backyard. In February 2015, researchers found that Lenovo was dispatching a root certificate with its laptops. This incident became infamous in infosec circles as Superfish.
Later in December, security researchers from LizardHQ discovered three different issues in the bloatware of Dell, Toshiba, and Lenovo devices.
In that incident, Lenovo's Solution Center featured another privilege escalation issue, which the company fixed with version 2.0. It is in the advisory of this issue where Lenovo added the second problem reported by the Trustwave researcher.
UPDATE: Lenovo has provided the following statement regarding the most recent security issue:
“ In December 2015, Lenovo posted a security advisory that acknowledged vulnerabilities in its Lenovo Solution Center (LSC) software that could be used to compromise a system through a remote privilege escalation attack. Lenovo then urgently posted fixes that addressed these vulnerabilities. Subsequently, Trustwave, an independent researcher, reported to Lenovo a separate security vulnerability in Lenovo Solution Center that could lead to an unauthorized local privilege escalation. In keeping with industry best practices, Lenovo moved rapidly to ready a fix and on April 26 again updated its security advisory disclosing this additional vulnerability and the availability of a fix that addressed it. We recommend users update their systems to the latest Lenovo System Update version 3.3.002 that addresses all of the known security vulnerabilities. ”
