Lenovo issues update fixing software vulnerabilities on many of its computers

Lenovo ThinkPad X1 Yoga
Bill Roberson/Digital Trends
Information security company Trustwave Holdings provided Digital Trends with an early glimpse into an upcoming blog set to be published on Friday afternoon, stating that the firm has discovered multiple vulnerabilities in the Lenovo Solution Center software that’s pre-installed on most Lenovo products including ThinkPad, ThinkPad Tablet, ThinkCentre and ThinkStation, IdeaCentre, and select Ideapad laptops.

The report was provided by Trustwave’s Martin Rakhmanov, and reveals that the vulnerabilities in this specific Lenovo software suite allows “unprivileged” local users to run arbitrary code with the highest system-level privileges. Typically, only the administrator has full system access, but the problem allows any non-administrator account on the computer to be used to hack the system.

The exploits were discovered in Lenovo Solution Center version 2.8.006 but affects all versions prior to 3.3.0002. Hackers can simply open up the Command Prompt to launch the Lenovo Solution Center service, or launch the Lenovo System Health and Diagnostics application through the Control Panel. After that, the hackers can enter a specific URL in any web browser and pull up the Device Manager running as LocalSystem instead of the current non-administrative user.

With Device Manager now loaded, hackers can install a new “driver” that will execute whatever code they choose in user mode or kernel mode. However, the report said that the kernel mode drivers must be signed by default whereas the user mode drivers can run as a LocalService account. To execute the code, hackers must create a “dummy” driver with an INF file that points back to a malicious DLL file stored on the hard drive.

That said, hackers merely use the “Add legacy hardware” option in Device Manager, select “Install the hardware that I manually select from a list (Advanced),” then “Show All Devices,” and finally “Have Disk.” The hackers then locate the INF file and agree to install non-verified driver software.

According to the report, Trustwave contacted Lenovo about the issue with Lenovo Solution Center on January 11. Subsequently, a patch was released by Lenovo on April 26. Lenovo has provided a warning page here that explains the situation and adds that hackers can attack the vulnerable PC remotely as well. The company also points out that while Lenovo Solution Center may not be actively running on the screen, the vulnerable backend service process continues to run.

“A cross-site request forgery (CSRF) vulnerability exists that may allow exploitation of these vulnerabilities if a user opens a malicious web site or crafted URL while the LSC backend service is running on a user’s machine.  The user’s computer may still be vulnerable even if the LSC user interface is not running,” the warning current states.

The release history shows that 3.3.002 is the latest version of Lenovo Solution Center. Customers are encouraged to upgrade the software by clicking “Yes” or “Update Now” when prompted on the program’s user interface, depending on the version currently installed.

As previously stated, Lenovo installs this software on most of its PCs. The suite serves as a hub for monitoring the system’s health and security such as firewall status, antivirus status, battery health, and more. It joins a number of other software components Lenovo loves to install like Lenovo App Shop, Lenovo Companion, Lenovo Reach, and so on.

This isn’t the first time Lenovo has experienced troubles with its pre-installed software. The company faced a lawsuit early last year after it pre-installed the SuperFish “man-in-the-middle” adware on a number of its consumer-based PCs. SuperFish not only injects suggested ads into search results, but can cause severe security issues. The company admitted to making a mistake and distributed fixes that removed applications and certificates based on SuperFish from purchased Lenovo solutions. Uninstall instructions were also provided here.

We reached out to Lenovo for a comment but have yet to receive a reply.


Microsoft leans on A.I. to resume safe delivery of Windows 10 Update

Microsoft is leaning on artificial intelligence as it resumes the automatic rollout of the Windows 10 October 2018 Update. You should start seeing the update soon now that Microsoft has resolved problems with the initial software.

Need a free alternative to Adobe Illustrator? Here are our favorites

Photoshop and other commercial tools can be expensive, but drawing software doesn't need to be. This list of the best free drawing software is just as powerful as some of the more expensive offerings.

‘Fortnite’ security flaw let hackers spy on players through microphones

A security vulnerability found in Fortnite allowed hackers to gain access to other players' accounts, potentially letting them spy on conversations using the in-game microphone. It has been addressed.

Don't spend hundreds on Pro Tools or Logic. Try one of these free alternatives

Believe it or not, Pro Tools isn't the only digital audio workstation worth your time. Check out our picks for the best free recording software, whether you're looking for a lightweight app or a full-blown audio workstation.

Watch out for these top-10 mistakes people make when buying a laptop

Buying a new laptop is exciting, but you need to watch your footing. There are a number of pitfalls you need to avoid and we're here to help. Check out these top-10 laptop buying mistakes and how to avoid them.

Don't spend a fortune on a PC. These are the best laptops under $300

Buying a laptop needn't mean spending a fortune. If you're just looking to browse the internet, answer emails, and watch Netflix, you can pick up a great laptop at a great price. These are the best laptops under $300.
Product Review

LG Gram 14 proves 2-in-1 laptops don’t need to sacrifice battery for light weight

The LG Gram 14 2-in-1 aims to be very light for a laptop that converts to a tablet. And it is. But it doesn’t skimp on the battery, and so it lasts a very long time on a charge.

Dell XPS 13 vs. Asus Zenbook 13: In battle of champions, who will be the victor?

The ZenBook 13 UX333 continues Asus's tradition of offering great budget-oriented 13-inch laptop offerings. Does this affordable machine offer enough value to compete with the excellent Dell XPS 13?

Take a trip to a new virtual world with one of these awesome HTC Vive games

So you’re considering an HTC Vive, but don't know which games to get? Our list of 25 of the best HTC Vive games will help you out, whether you're into rhythm-based gaming, interstellar dogfights, or something else entirely.

The Asus ZenBook 13 offers more value and performance than Apple's MacBook Air

The Asus ZenBook 13 UX333 is the latest in that company's excellent "budget" laptop line, and it looks and feels better than ever. How does it compare to Apple's latest MacBook Air?

AMD Radeon VII will support DLSS-like upscaling developed by Microsoft

AMD's Radeon VII has shown promise with early tests of an open DLSS-like technology developed by Microsoft called DirectML. It would provide similar upscale features, but none of the locks on hardware choice.

You could be gaming on AMD’s Navi graphics card before the end of the summer

If you're waiting for a new graphics card from AMD that doesn't cost $700, you may have to wait for Navi. But that card may not be far away, with new rumors suggesting we could see a July launch.

Is AMD's Navi back on track for 2019? Here's everything you need to know

With a reported launch in 2019, AMD is focusing on the mid-range market with its next-generation Navi GPU. Billed as a successor to Polaris, Navi promises to deliver better performance to consoles, like Sony's PlayStation 5.

Cortana wants to be friends with Alexa and Google Assistant

Microsoft no longer wants to compete against Amazon's Alexa and Google's Assistant in the digital assistant space. Instead, it wants to transform Cortana into a skill that can be integrated into other digital assistants.