Lenovo has millions of customers who count on the company’s products. Unbeknownst to those users, they were left at risk to have their device compromised by a significant security flaw in Lenovo’s own software.
Nearly every Lenovo Think device—a lineup that includes notebooks, tablets, and desktops—comes with a piece of software called Lenovo Solution Center pre-installed. It’s designed to monitor the health and security of the device and optimize its performance, but it fell well short of that mission.
Instead, it left users vulnerable to attack from malicious software. According to security firm Trustwave, it was possible for a hacker to raise the privileges of the software and gain access to the entire system. This would allow anyone who breached the software to install malware at a system-wide level, making its presence undetected to the average user.
A spokesperson for Lenovo acknowledged to the Daily Dot that Trustwave approached the company about the vulnerability in the Lenovo Solution Center and noted that it could lead to unauthorized local privilege escalation, while also saying that the problem had been dealt with.
“In keeping with industry best practices, Lenovo moved rapidly to ready a fix and on April 26 again updated its security advisory disclosing this additional vulnerability and the availability of a fix that addressed it,” the spokesperson said.
The fix wasn’t the first time the company had to patch up the Lenovo Solution Center. The spokeperson noted that in December 2015, Lenovo posted a security advisory that acknowledged vulnerabilities in the software that could be used to compromise a system through a remote privilege escalation attack, which the company addressed by “urgently posted fixes that addressed these vulnerabilities.”
While it’s commendable that Lenovo has expedited its response to these potentially devastating flaws in its system’s software, it’s a problem that seems to repeatedly crop up—especially with the company’s own, pre-installed software.
Undesirable software that comes packaged with a product, often called bloatware, leave a user with little choice; they didn’t install it, but they do have to deal with the consequences of having it on their device. As is too often the case, and is the case with the Lenovo Solution Center, that software leaves users vulnerable.
Lenovo should be uniquely sensitive to this plight for its users; the company rather notably sold device laced with the particularly nasty Superfish adware, a piece of software that hijacked user’s internet sessions and left them susceptible to have everything from their browsing habits to their passwords intercepted by hackers and advertisers.
Lenovo holds 19.8 percent of PC market share, the largest of any single vendor. Every time it installs a piece of software on a device that is susceptible to attack it leaves millions of people exposed—plenty of whom won’t know to install a necessary update in time to be protected.