Lenovo software has a major security risk

The Lenovo Solution Center is susceptible to a malware exploit. A fix is available for download.

Lenovo Logo
Michael Kan

Just as the dust has settled on the Superfish controversy, another piece of software installed on Lenovo PCs is causing problems. This time it's due to a major malware exploit.

The problem is with Lenovo Solution Center (LSC) software, which the company describes as "a central hub for monitoring system health and security." LSC is supposed to monitor your system's virus and firewall status, update your software, perform backups, check battery health, and get registration and warranty information.

Unfortunately, it also has a vulnerability that allows a malicious attacker to start the LSC service and trick it in to executing arbitrary code in the local system context, according to researchers at Trustwave SpiderLabs.

The SpiderLabs researcher who found the exploit said it is a pretty bad vulnerability, but it does require an existing user to be logged in in order to pull off any attack, so it could not be exploited remotely like most vulnerabilities.

A fix for the vulnerability has been released by Lenovo and can be downloaded by visiting the software's page on the Lenovo home site. It's only because a fix is available that SpiderLabs disclosed the vulnerability.

This is not the first time there has been a problem with LSC. In December 2015, a hacking group called Slipstream/RoL demonstrated a proof-of-concept exploit that allowed a malicious web page to execute code on Lenovo PCs with system privileges. They did it without warning Lenovo in advance, which was not very cool.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: 10 new UI features coming to Windows 10