- A scarier ‘The Haunting of Hill House’ extended director’s cut is coming to Blu-ray Today 9:15 AM
- The 9 best podcasts for kids that entertain and educate Today 8:00 AM
- Swipe This! Why does my BFF get more likes on Instagram than me? Today 6:00 AM
- The 25 Tom Cruise movies that are essential viewing Today 6:00 AM
- No, that guy didn’t really fly alone on a Delta flight Saturday 4:31 PM
- Fans are paying to meet their favorite YouTubers online through pilot program Saturday 2:54 PM
- Behold: 12 straight hours of ‘Stranger Things” Alexei drinking a Slurpee Saturday 2:05 PM
- Influencer couple under fire for using holy water to splash genitals in Bali Saturday 1:29 PM
- These are the 10 best villains DC comics has ever conceived Saturday 1:11 PM
- The Daily Wire accused of stealing art design from pop artist for its merchandise Saturday 12:09 PM
- Instagram model Rianne Meijer on keeping it real with her followers Saturday 10:52 AM
- How to stream Chelsea vs. Leicester City Saturday 8:30 AM
- Florida man arrested after allegedly texting girlfriend his mass shooting plans Saturday 8:27 AM
- How to stream Real Madrid vs. Celta Vigo Saturday 8:20 AM
- How to stream Seahawks vs. Vikings in NFL preseason action Saturday 8:00 AM
Lenovo has millions of customers who count on the company’s products. Unbeknownst to those users, they were left at risk to have their device compromised by a significant security flaw in Lenovo’s own software.
Nearly every Lenovo Think device—a lineup that includes notebooks, tablets, and desktops—comes with a piece of software called Lenovo Solution Center pre-installed. It’s designed to monitor the health and security of the device and optimize its performance, but it fell well short of that mission.
Instead, it left users vulnerable to attack from malicious software. According to security firm Trustwave, it was possible for a hacker to raise the privileges of the software and gain access to the entire system. This would allow anyone who breached the software to install malware at a system-wide level, making its presence undetected to the average user.
A spokesperson for Lenovo acknowledged to the Daily Dot that Trustwave approached the company about the vulnerability in the Lenovo Solution Center and noted that it could lead to unauthorized local privilege escalation, while also saying that the problem had been dealt with.
“In keeping with industry best practices, Lenovo moved rapidly to ready a fix and on April 26 again updated its security advisory disclosing this additional vulnerability and the availability of a fix that addressed it,” the spokesperson said.
The fix wasn’t the first time the company had to patch up the Lenovo Solution Center. The spokeperson noted that in December 2015, Lenovo posted a security advisory that acknowledged vulnerabilities in the software that could be used to compromise a system through a remote privilege escalation attack, which the company addressed by “urgently posted fixes that addressed these vulnerabilities.”
While it’s commendable that Lenovo has expedited its response to these potentially devastating flaws in its system’s software, it’s a problem that seems to repeatedly crop up—especially with the company’s own, pre-installed software.
Undesirable software that comes packaged with a product, often called bloatware, leave a user with little choice; they didn’t install it, but they do have to deal with the consequences of having it on their device. As is too often the case, and is the case with the Lenovo Solution Center, that software leaves users vulnerable.
Lenovo should be uniquely sensitive to this plight for its users; the company rather notably sold device laced with the particularly nasty Superfish adware, a piece of software that hijacked user’s internet sessions and left them susceptible to have everything from their browsing habits to their passwords intercepted by hackers and advertisers.
Lenovo holds 19.8 percent of PC market share, the largest of any single vendor. Every time it installs a piece of software on a device that is susceptible to attack it leaves millions of people exposed—plenty of whom won’t know to install a necessary update in time to be protected.
AJ Dellinger is a seasoned technology writer whose work has appeared in Digital Trends, International Business Times, and Newsweek. In 2018, he joined Gizmodo as the nights and weekend editor.