Lenovo fixes yet another major security vulnerability
This past year hasn't been kind to Lenovo. The company has had quite a few security problems on its hands, most affecting its Windows software. The PC maker has issued patch after patch to address them, but it now looks like the saga is far from over.
A security researcher has uncovered a new vulnerability in the Lenovo Solution Center software, which comes preloaded on the company's desktops and laptops to help users monitor things like battery life and driver updates.
"The flaw allows an attacker to elevate privileges and is tied to the LSC application’s backend. It opens the door for a malicious attacker to start the LSC service and trick it in to executing arbitrary code in the local system context", says Karl Sigler, who is responsible for finding this flaw.
"This is a pretty bad vulnerability, but it does require an existing user to be logged in in order to pull off any attack", adds Sigler. "For a malicious insider or for an attacker that already has a foothold in the network, this vulnerability could be used to make that foothold a full gateway to your network".
The good news is that Lenovo has fixed this vulnerability, and issued a patch for its software. You can download it from here. Solution Center also had to be patched in December, after a hacking group, called Slipstream/RoL, discovered a flaw allowing a webpage to execute code on Lenovo's devices using system privileges.