Lenovo has released a new version 3.3.003 of Lenovo Solution Center, because prior versions comes with two critical vulnerabilities. Here are a few hints how to handle the new security desaster.
Lenovo Solution Center: Bloatware as a security risk
According to Lenovo (see), the Lenovo Solution Center (LSC) is a new software application created by Lenovo for Think products that helps users get the most out of their PC experience.
The new software allows users to quickly identify the status for system health, network connections and overall system security. Here are the features provided by LSC:
- Intuitive interface that is easy to navigate dashboard
- Pre-installed (and available for download) on new Lenovo 64-bit and 32-bit Windows 8 and 7 systems
- Full certification with "Certified for Windows 7" logo program
- Windows Taskbar notification if something needs attention
- Automatic notification of application updates
- Keep the computer running at peak performance
- Diagnose hardware problems
- See historical system performance and changes
- One click access to to Lenovo Support
- Access all of Lenovo software from one place
The vendor writes: Lenovo Solution Center (LSC) ist pre-installed on Lenovo computers with Windows 8 and Windows 7, but the software is downloadable also for Windows 10 systems (64-bit and 32-bit).
Unfortunately LSC is known as a permanent security risk on Lenovo computers (see my article Lenovo Solution Center vulnerable again from May 2016).
Version 3.3.003 fixes two vulnerabilities
Lenovo has published a Security Advisories addressing two vulnerabilities CVE-2016-5248 and CVE-2016-5249. Both high-severity vulnerabilities allows privilege escalation from unprivileged user accounts so LocalSystem.
Local privilege escalation vulnerabilities were identified in Lenovo Solution Center where unprivileged local users could terminate processes running at higher privilege levels (CVE-2016-5248) or execute arbitrary code (CVE-2016-5249) with LocalSystem account privileges.
According to pcworld, the flaws could allow attackers to execute malicious code with system privileges and to kill other processes. This can be used to compromise a Windows system.
Affected are all Lenovo Solution Center installs up to version 3.3.002, Lenovo advises users to upgrade to LSC version 3.3.003. This can be done:
- Updating via Lenovo Solution Center
- Updating via the Lenovo System Update utility
- Updating via direct download
My recommendation is to unistall Lenovo Solution Center via control panel – uninstall programs. Side note: A reader of my German article has informed me that LSC also requires parts of Adobe AIR (also a security night mare). So, after uninstalling LSC you should also dump Adobe AIR.
Lenovo Solution Center vulnerable again
Optional Windows update KB3107998 removes Lenovo USB Blocker tool
Lenovo ships Superfish adware preinstalled on systems
Dell's Superfish 2: Devices shipped with cloneable Root certificate
Komodia SSL certificates and hijacking tech are widely spread
Cookies helps to fund this blog: Cookie settings