Lenovo is once again in the thick of it over its software that comes pre-installed on most Lenovo PCs. This time its Lenovo Solution Centre (LSC) software has been found to have a vulnerability that would allow anyone with local network access to the PC to execute arbitrary code. Once an attacker has local network access, they can use the software to elevate their privileges and then trick LSC into running the arbitrary code when starting up its service.
The software’s intended purpose is to monitor the overall health of the PC. It monitors the battery, firewall and checks for driver updates. It comes pre-installed on the majority of Lenovo PCs, including desktop and laptop, for both businesses and consumers.
A fix for the vulnerability was released by Lenovo and can be downloaded by visiting the software’s page on their website. A statement from a spokesperson for Lenovo said:
In keeping with industry best practices, Lenovo moved rapidly to ready a fix and on April 26 it updated its security advisory disclosing this additional vulnerability and the availability of a fix that addressed it
Regardless of any fixes Lenovo has released, this issue continues to crop up time-and-time-again; pre-installed software having security flaws. If you think back to last year, you’ll remember the Superfish debacle, in which the company pre-loaded adware on its customers systems, which could steal personal data. It isn’t just Lenovo, though. Dell has had its time in the limelight too. Its pre-installed software caused a stir over the potential for SSL attacks, after it pre-loaded an SSL certificate on its machines.