Skip to main content

Your Lenovo laptop may have a serious security flaw

Lenovo laptop on desk
Vlad Bagacian/Unsplash

Users of older Lenovo laptops should beware of a security flaw that may affect their PCs, particularly if their laptops are still running a program called Lenovo Solution Center.

According to Laptop Magazine, security researchers at Pen Test Partners have discovered a security vulnerability that could effectively “hand admin privileges over to hackers or malware.” And since the flaw affects Lenovo laptops that came pre-installed with the Lenovo Solution Center program, millions of older Lenovo laptops could be affected by the flaw. This is because Lenovo laptops had the program installed for years, from 2011 all the way to November 2018.

Pen Test Partners published its own post about the flaw on Thursday, August 22. In the post, PTP described the flaw as a “privilege escalation vulnerability” which allows the use of a DACL (discretionary access control list) overwrite bug and a “hardlink” (pseudo) file to let “the low-privileged user take full control of a file they shouldn’t normally be allowed to. This can, if you’re clever, be used to execute arbitrary code on the system with Administrator or System privileges.”

Lenovo issued its own security warning about the flaw on Tuesday, August 20. In this statement, Lenovo said that the flaw affected devices running Lenovo Solution Center version 03.12.003 and recommend that Lenovo users should go ahead and uninstall Lenovo Solution Center (which is no longer supported) and “migrate to Lenovo Vantage or Lenovo Diagnostics.” Lenovo’s security warning statement also included instructions on how to uninstall Lenovo Solution Center for devices running Windows 10, Windows 8, and Windows 7.

It’s also worth noting that in its post, Pen Test Partners also noted a discrepancy involving the actual end-of-life date for the Lenovo Solution Center program:

“Whilst Lenovo were responsive to my disclosure, when we reported this to them back in May, their LSC download page noted that the tool went end of life in November 2018…But just after their disclosure went out, we noticed they had changed the end-of-life date to make it look like it went end of life even before the last version was released. Their own vulnerability advisory states: ‘Lenovo ended support for Lenovo Solution Center and recommended that customers migrate to Lenovo Vantage or Lenovo Diagnostics in April 2018.’… yet the last release of LSC was on 15th October 2018 … Could it be a typo, or were Lenovo trying to cover their tracks? Misleading and strange.”

The Register asked Lenovo about the end-of-life date discrepancy and the laptop manufacturer responded with the following statement:

“It’s often the case for applications that reach end of support that we continue to update the applications as we transition to new offerings is to ensure customers that have not transitioned, or choose not to, still have a minimal level of support, a practice that is not uncommon in the industry.”

Digital Trends has reached out to Lenovo for comment, and we’ll update this article once we receive a response.

Anita George
Anita has been a technology reporter since 2013 and currently writes for the Computing section at Digital Trends. She began…
Google is cracking down on internet security in this big way
Connection is not private warning from Google.

Google is making some serious changes to digital certificate security on the web, the company announced on its Security blog. The big news is that Google will no longer trust certificates from two large security firms -- Entrust or AffirmTrust -- due to repeated security lapses.

According to Google, the companies, which are Certificate Authorities (CA), have demonstrated patterns of unmet improvement commitments, compliance failures, and no measurable progress in how fast the company responds to publicly disclosed incident reports.

Read more
Your PC’s security is being attacked on two new fronts
Person using Windows 11 laptop on their lap by the window.

Your PC is facing a double whammy of cyber threats, both of them built into basic Windows features -- one that exploits Windows search and another a Wi-Fi vulnerability.

The first vulnerability allows hackers to exploit search in what researchers have called a "clever" way, as reported by Trustwave. It begins when users are tricked into downloading malware, starting with phishing emails with malicious .ZIP attachments containing HTML files disguised as invoices or something along those lines.

Read more
4 high-end features Windows laptops still have over MacBooks
Lenovo Yoga 9i Gen 9 top down view showing tablet and pen.

Apple's MacBook lineup has exploded over the last several years, with its Silicon chipsets offering class-leading performance and efficiency. The MacBook Pro, in particular, is faster than many Windows laptops, longer-lasting than most, and has an excellent mini-LED display. There are many good reasons to choose a MacBook over a Windows laptop in today's market.

But all isn't lost for the Windows platform. Even aside from the upcoming Snapdragon X Elite laptops that look to be competitive, there are still some more basic features that you can only get on a Windows laptop at the moment. Here are the four that I keep coming back to.
Windows Hello

Read more