Lenovo Bloatware Patched to Fix System Takeover Bug

Share this…

Lenovo Solution Center allowed attackers to get admin access. Lenovo has hid a crucial security update in an old security advisory from last year. The advisory details fixes for a vulnerability that if exploited could allow a malicious actor to take over the user’s computer via the company’s pre-installed junkware called the Lenovo Solution Center.

Lenovo users should now go to Lenovo’s website and download the Lenovo Solution Center version 3.3.002 in order to patch their systems against the vulnerability identified as CVE-2016-1876.

Newest issue allows total device takeover

An unnamed security researcher from Trustwave discovered the issue, which is a local privilege escalation that allows an attacker to get elevated system access, which in turn allows him to execute code without restrictions on the machine. Depending on the attacker’s skill level, he can very easily take over a user’s device.

The Lenovo Solution Center is a software application that comes pre-installed on all Lenovo laptops and computers. The company designed it to help users manage their drivers, install necessary updates, or debug their computers.

Despite their best intentions, the software is rarely used, and very few users know of its presence. In industry circles, such built-in & rarely used software is often referred to as junkware or bloatware.

Lenovo has a history of security issues

This is not the first time security experts have found issues in Lenovo’s backyard. In February 2015, researchers found that Lenovo was dispatching a root certificate with its laptops. This incident became infamous in infosec circles as Superfish.

Later in December, security researchers from LizardHQ discovered three different issues in the bloatware of Dell, Toshiba, and Lenovo devices.

In that incident, Lenovo’s Solution Center featured another privilege escalation issue, which the company fixed with version 2.0. It is in the advisory of this issue where Lenovo added the second problem reported by the Trustawave researcher.