Lenovo fixed the Lenovo Solution Center, once again the company faces problems with pre-installed bloatware causing major security problems for users.
Lenovo has fixed a security vulnerability in the Lenovo Solution Center (LSC) support tool that could be exploited by attackers to execute code with system privileges and take over the machine.
Lenovo Solution Center (LSC) software is pre-installed by Lenovo on many laptops and desktops, it is used by users to check their system information, manage updates and backups, check battery status, manage registration info and perform hardware tests.
The Lenovo Solution Center application is composed of two main components, the UI and the LSCTaskService service that always runs in the background.
The company released on April 25 the Lenovo Solution Center version 3.3.002 that includes a fix for a local privilege escalation vulnerability reported by Trustwave. The flaw could be exploited by a local Windows user to run malicious code with system privileges and take over the computer.
“Vulnerabilities were identified within LSC’s backend service process that may allow a local user to execute arbitrary code with SYSTEM level privileges. In addition, a cross-site request forgery (CSRF) vulnerability exists that may allow exploitation of these vulnerabilities if a user opens a malicious web site or crafted URL while the LSC backend service is running on a user’s machine. The user’s computer may still be vulnerable even if the LSC user interface is not running.” reads the advisory from Lenovo”
This incident is the last in order of time that is related to flaw affecting software pre-installed by manufacturers on their PCs. In December, another flaw was discovered in the Lenovo LSC application.
It is important to note that in order to apply the fix users should download the latest version manually from the company website.
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.