Skip to main content

Lenovo issues update fixing software vulnerabilities on many of its computers

Lenovo ThinkPad X1 Yoga
Bill Roberson/Digital Trends
Information security company Trustwave Holdings provided Digital Trends with an early glimpse into an upcoming blog set to be published on Friday afternoon, stating that the firm has discovered multiple vulnerabilities in the Lenovo Solution Center software that’s pre-installed on most Lenovo products including ThinkPad, ThinkPad Tablet, ThinkCentre and ThinkStation, IdeaCentre, and select Ideapad laptops.

The report was provided by Trustwave’s Martin Rakhmanov, and reveals that the vulnerabilities in this specific Lenovo software suite allows “unprivileged” local users to run arbitrary code with the highest system-level privileges. Typically, only the administrator has full system access, but the problem allows any non-administrator account on the computer to be used to hack the system.

The exploits were discovered in Lenovo Solution Center version 2.8.006 but affects all versions prior to 3.3.0002. Hackers can simply open up the Command Prompt to launch the Lenovo Solution Center service, or launch the Lenovo System Health and Diagnostics application through the Control Panel. After that, the hackers can enter a specific URL in any web browser and pull up the Device Manager running as LocalSystem instead of the current non-administrative user.

With Device Manager now loaded, hackers can install a new “driver” that will execute whatever code they choose in user mode or kernel mode. However, the report said that the kernel mode drivers must be signed by default whereas the user mode drivers can run as a LocalService account. To execute the code, hackers must create a “dummy” driver with an INF file that points back to a malicious DLL file stored on the hard drive.

That said, hackers merely use the “Add legacy hardware” option in Device Manager, select “Install the hardware that I manually select from a list (Advanced),” then “Show All Devices,” and finally “Have Disk.” The hackers then locate the INF file and agree to install non-verified driver software.

According to the report, Trustwave contacted Lenovo about the issue with Lenovo Solution Center on January 11. Subsequently, a patch was released by Lenovo on April 26. Lenovo has provided a warning page here that explains the situation and adds that hackers can attack the vulnerable PC remotely as well. The company also points out that while Lenovo Solution Center may not be actively running on the screen, the vulnerable backend service process continues to run.

“A cross-site request forgery (CSRF) vulnerability exists that may allow exploitation of these vulnerabilities if a user opens a malicious web site or crafted URL while the LSC backend service is running on a user’s machine.  The user’s computer may still be vulnerable even if the LSC user interface is not running,” the warning current states.

The release history shows that 3.3.002 is the latest version of Lenovo Solution Center. Customers are encouraged to upgrade the software by clicking “Yes” or “Update Now” when prompted on the program’s user interface, depending on the version currently installed.

As previously stated, Lenovo installs this software on most of its PCs. The suite serves as a hub for monitoring the system’s health and security such as firewall status, antivirus status, battery health, and more. It joins a number of other software components Lenovo loves to install like Lenovo App Shop, Lenovo Companion, Lenovo Reach, and so on.

This isn’t the first time Lenovo has experienced troubles with its pre-installed software. The company faced a lawsuit early last year after it pre-installed the SuperFish “man-in-the-middle” adware on a number of its consumer-based PCs. SuperFish not only injects suggested ads into search results, but can cause severe security issues. The company admitted to making a mistake and distributed fixes that removed applications and certificates based on SuperFish from purchased Lenovo solutions. Uninstall instructions were also provided here.

We reached out to Lenovo for a comment but have yet to receive a reply.

Editors' Recommendations

Kevin Parrish
Former Digital Trends Contributor
Kevin started taking PCs apart in the 90s when Quake was on the way and his PC lacked the required components. Since then…
MSI could be prepping next-gen OLED gaming monitors — and they look insane
Marvel's Spider-Man running on the Samsung Odyssey OLED G8.

MSI is getting serious in the gaming monitor space. Newly leaked information suggests that the company is preparing at least six new QD-OLED monitors that are set to arrive in the coming months. It is said that the new models will range from 27 inches to 49 inches in size, with refresh rates of up to 360Hz.

The alleged information comes from Twitter/X user @chi11eddog, who is known for consistent and reliable leaks, particularly regarding MSI and general hardware-related information. The upcoming monitors are expected to be part of MSI’s MPG and MAG series of product lines, with the first new model scheduled for November 2023.

Read more
Bing Chat’s ads are sending users to dangerous malware sites
Bing Chat shown on a laptop.

Since it launched, Microsoft’s Bing Chat has been generating headlines left, right, and center -- and not all of them have been positive. Now, there’s a new headache for the artificial intelligence (AI) chatbot, as it’s been found it has a tendency to send you to malware websites that can infect your PC.

The discovery was made by antivirus firm Malwarebytes, which discussed the incident in a blog post. According to the company, Bing Chat is displaying malware advertisements that send users to malicious websites instead of filtering them out.

Read more
Best MSI gaming laptop deals: Save on the Bravo, Delta and Stealth
MSI GT77 Titan (2023) playing Cyberpunk 2077.

MSI makes some of the best high-end gaming laptops on the market. Their Bravo and Delta line are great for gamers on a budget, while the impressive Stealth line is here for people looking for a powerhouse mobile gaming system. Thankfully everything from the budget laptops to the professional rigs is on sale right now, so you can save hundreds on a prebuilt gaming laptop with impressive specs. Our picks for the best MSI gaming laptop deals are below.
MSI Bravo 15 -- $800, was $1,000

The MSI Bravo is a good starting place if you're just getting into the world of PC gaming. It has quality components, but nothing too flashy or expensive. It's compact at just 15.6-inches, but the screen still has a 144Hz refresh rate and 1080p resolution. The main money saver is in the AMD Ryzen 5 processor. The graphics card is an impressive Nvidia GeForce RTX 4050, which is where most of the budget goes. It skimps a bit on memory, with a standard 16GB of RAM but only 512GB of storage on its SSD.

Read more