- Congress asks Ring for more information about police partnerships 4 Years Ago
- Vlogger who posts behind-the-scenes footage at Disney is in trouble with YouTube 4 Years Ago
- Was Bloomberg owned harder on the debate stage or by Twitter? Today 8:54 AM
- Make ‘Animal Crossing: New Horizons’ your desert island game Today 8:51 AM
- Everyone’s trying to dance like Jennifer Lopez on TikTok Today 8:27 AM
- Why the coronavirus bioweapon theory persists Today 7:57 AM
- You won’t see deleted scenes on the ‘Rise of Skywalker’ home release Today 7:47 AM
- The return of ‘Star Wars: The Clone Wars’ throws you right back into the fight Today 7:00 AM
- Am I overreacting to a Facebook message from a dating app match? Today 6:00 AM
- Buttigieg, Klobuchar come together to laugh at Bloomberg Wednesday 10:29 PM
- Bernie Sanders calls Bloomberg’s wealth ‘grotesque’ to his face Wednesday 9:53 PM
- Angry Bloomberg asks debate moderators if he’s ‘chicken liver’ Wednesday 9:29 PM
- Elizabeth Warren savages everyone else’s healthcare plan Wednesday 9:07 PM
- K-Pop stans help push ‘Pooping for Kaitlin’ hashtag mocking Kent State gun girl Wednesday 8:54 PM
- Fans speculate after learning Pop Smoke posted address prior to fatal home invasion Wednesday 8:11 PM
Lenovo has millions of customers who count on the company’s products. Unbeknownst to those users, they were left at risk to have their device compromised by a significant security flaw in Lenovo’s own software.
Nearly every Lenovo Think device—a lineup that includes notebooks, tablets, and desktops—comes with a piece of software called Lenovo Solution Center pre-installed. It’s designed to monitor the health and security of the device and optimize its performance, but it fell well short of that mission.
Instead, it left users vulnerable to attack from malicious software. According to security firm Trustwave, it was possible for a hacker to raise the privileges of the software and gain access to the entire system. This would allow anyone who breached the software to install malware at a system-wide level, making its presence undetected to the average user.
A spokesperson for Lenovo acknowledged to the Daily Dot that Trustwave approached the company about the vulnerability in the Lenovo Solution Center and noted that it could lead to unauthorized local privilege escalation, while also saying that the problem had been dealt with.
“In keeping with industry best practices, Lenovo moved rapidly to ready a fix and on April 26 again updated its security advisory disclosing this additional vulnerability and the availability of a fix that addressed it,” the spokesperson said.
The fix wasn’t the first time the company had to patch up the Lenovo Solution Center. The spokeperson noted that in December 2015, Lenovo posted a security advisory that acknowledged vulnerabilities in the software that could be used to compromise a system through a remote privilege escalation attack, which the company addressed by “urgently posted fixes that addressed these vulnerabilities.”
While it’s commendable that Lenovo has expedited its response to these potentially devastating flaws in its system’s software, it’s a problem that seems to repeatedly crop up—especially with the company’s own, pre-installed software.
Undesirable software that comes packaged with a product, often called bloatware, leave a user with little choice; they didn’t install it, but they do have to deal with the consequences of having it on their device. As is too often the case, and is the case with the Lenovo Solution Center, that software leaves users vulnerable.
Lenovo should be uniquely sensitive to this plight for its users; the company rather notably sold device laced with the particularly nasty Superfish adware, a piece of software that hijacked user’s internet sessions and left them susceptible to have everything from their browsing habits to their passwords intercepted by hackers and advertisers.
Lenovo holds 19.8 percent of PC market share, the largest of any single vendor. Every time it installs a piece of software on a device that is susceptible to attack it leaves millions of people exposed—plenty of whom won’t know to install a necessary update in time to be protected.
AJ Dellinger is a seasoned technology writer whose work has appeared in Digital Trends, International Business Times, and Newsweek. In 2018, he joined Gizmodo as the nights and weekend editor.