Lenovo issues update fixing software vulnerabilities on many of its computers

Lenovo ThinkPad X1 Yoga
Bill Roberson/Digital Trends
Information security company Trustwave Holdings provided Digital Trends with an early glimpse into an upcoming blog set to be published on Friday afternoon, stating that the firm has discovered multiple vulnerabilities in the Lenovo Solution Center software that’s pre-installed on most Lenovo products including ThinkPad, ThinkPad Tablet, ThinkCentre and ThinkStation, IdeaCentre, and select Ideapad laptops.

The report was provided by Trustwave’s Martin Rakhmanov, and reveals that the vulnerabilities in this specific Lenovo software suite allows “unprivileged” local users to run arbitrary code with the highest system-level privileges. Typically, only the administrator has full system access, but the problem allows any non-administrator account on the computer to be used to hack the system.

The exploits were discovered in Lenovo Solution Center version 2.8.006 but affects all versions prior to 3.3.0002. Hackers can simply open up the Command Prompt to launch the Lenovo Solution Center service, or launch the Lenovo System Health and Diagnostics application through the Control Panel. After that, the hackers can enter a specific URL in any web browser and pull up the Device Manager running as LocalSystem instead of the current non-administrative user.

With Device Manager now loaded, hackers can install a new “driver” that will execute whatever code they choose in user mode or kernel mode. However, the report said that the kernel mode drivers must be signed by default whereas the user mode drivers can run as a LocalService account. To execute the code, hackers must create a “dummy” driver with an INF file that points back to a malicious DLL file stored on the hard drive.

That said, hackers merely use the “Add legacy hardware” option in Device Manager, select “Install the hardware that I manually select from a list (Advanced),” then “Show All Devices,” and finally “Have Disk.” The hackers then locate the INF file and agree to install non-verified driver software.

According to the report, Trustwave contacted Lenovo about the issue with Lenovo Solution Center on January 11. Subsequently, a patch was released by Lenovo on April 26. Lenovo has provided a warning page here that explains the situation and adds that hackers can attack the vulnerable PC remotely as well. The company also points out that while Lenovo Solution Center may not be actively running on the screen, the vulnerable backend service process continues to run.

“A cross-site request forgery (CSRF) vulnerability exists that may allow exploitation of these vulnerabilities if a user opens a malicious web site or crafted URL while the LSC backend service is running on a user’s machine.  The user’s computer may still be vulnerable even if the LSC user interface is not running,” the warning current states.

The release history shows that 3.3.002 is the latest version of Lenovo Solution Center. Customers are encouraged to upgrade the software by clicking “Yes” or “Update Now” when prompted on the program’s user interface, depending on the version currently installed.

As previously stated, Lenovo installs this software on most of its PCs. The suite serves as a hub for monitoring the system’s health and security such as firewall status, antivirus status, battery health, and more. It joins a number of other software components Lenovo loves to install like Lenovo App Shop, Lenovo Companion, Lenovo Reach, and so on.

This isn’t the first time Lenovo has experienced troubles with its pre-installed software. The company faced a lawsuit early last year after it pre-installed the SuperFish “man-in-the-middle” adware on a number of its consumer-based PCs. SuperFish not only injects suggested ads into search results, but can cause severe security issues. The company admitted to making a mistake and distributed fixes that removed applications and certificates based on SuperFish from purchased Lenovo solutions. Uninstall instructions were also provided here.

We reached out to Lenovo for a comment but have yet to receive a reply.

Product Review

The Nokia 4.2’s performance never lets you forget it’s only $189

The Nokia 4.2 has good battery life, uncluttered Android One software that delivers fast updates, and a design and build that doesn’t match its $189 price tag. But performance throws the phone under the bus.

Another vulnerability found in Dell’s security bloatware, users must update ASAP

A serious security vulnerability in Dell's SupportAssist software has been disclosed by cybersecurity firm SafeBreach. Dell swiftly released a patch, so if you have a Dell machine, you should update it straight away.

Microsoft teams up with Kano to create a DIY Windows 10 PC for kids

Microsoft and Kano have unveiled a build-it-yourself Windows 10 PC aimed at making computing fun for kids. The Kano PC features an 11.6-inch touchscreen and attachable keyboard, and comes bundled with a range of software.

Galaxy Fold's screen problems have mostly been fixed, Samsung says

The Samsung Galaxy Fold is real, but for how long? Folding out from a 4.6-inch display to a tablet-sized 7.3-inch display, this unique device has six cameras, two batteries, and special software to help you use multiple apps.

Need a laptop? Get a Lenovo Chromebook S330 at a hefty 60% discount on Amazon

Fast, simple, and secure, you can expect the Lenovo S330 to deliver a great day-to-day performance for your work or school needs. Order yours today on Amazon at a discounted price of $169.
Virtual Reality

Getting into VR is spendy. Which headset is truly worth your hard-earned cash?

Virtual reality has finally gone mainstream, but how do you find the best VR headset for you? Check out a few of our favorites, whether you want the best of the best or a budget alternative for your mobile device.
Emerging Tech

Awesome Tech You Can’t Buy Yet: Illuminated keyboards and a retro gaming console

Check out our roundup of the best new crowdfunding projects and product announcements that hit the web this week. You may not be able to buy this stuff yet, but it sure is fun to gawk!

Laptop buyers will pay the price in the China-U.S. trade war

With the US-China trade war only increasing in intensity, it is becoming more and more likely that US consumers will pay for it in the form of increased prices on consumer tech, including laptops, due to import tariffs.

Intel’s rumored price war against rival AMD could be a big win for gamers

With Intel looking to take on AMD with a new pricing strategy, the biggest winners of the silicon price war will be PC users and gamers. If reports are accurate, Intel plans on slashing CPU prices by as much as 15 percent.

NASA hacked: 500 MB of mission data stolen through a Raspberry Pi computer

NASA's Jet Propulsion Laboratory was hacked last year by an attacker who used a Raspberry Pi computer. The hacker took advantage of the network's weaknesses to steal 500 MB of data, while remaining undetected for 10 months.

Microsoft reportedly thinks Slack not secure enough, prohibits internal use

Microsoft has reportedly placed Slack under the "prohibited" category in an internal list of prohibited and discouraged technology. The main reason why the company banned employees from using it is due to security concerns.

Apple-refurbished MacBooks and Mac Minis get big price cuts for grads

Deals on Mac computers are hard to come by outside of seasonal sales, so your best bet might be to buy refurbished. These professionally renewed Mac deals are a sure way to save big on Apple computers that look, feel, and work like new.

The best 4th of July sales 2019: Best Buy, Home Depot, and REI

Whether you're looking for price cuts on mattresses, major appliances, kitchen gadgets, outdoor gear, and just about anything you can think of for summer, there's bound to be a sale with your name on it.

Amazon Prime Day 2019: Start date, predictions, and the best deals so far

Amazon Prime Day 2019 isn't here yet, but it's never too early to start preparing. We've been taking a look at the best discounts from previous Prime Days to give you our predictions of what to expect this year.