Skip to main content

Lenovo bloatware security hole

Lenovo, the world’s largest PC manufacturer, has managed to shoot itself in the foot once more after another security hole was discovered.

Lenovo has admitted to a self inflicted ‘bloatware’ security hole and has requested that its customers’ remove it’s own software from their machines due to a security flaw.

The security issue was first published by Carnegie Mellon’s Computer Emergency Readiness Team: “By convincing a user who has launched the Lenovo Solution Center to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), an attacker may be able to execute arbitrary code with SYSTEM privileges. Additionally, a local user can execute arbitrary code with SYSTEM privileges.”

Lenovo has been instructing its users to uninstall Lenovo Solution Center, which comes pre-installed on many Lenovo laptops and desktops. The proprietary software provides a health and security dashboard for users to monitor the status of their systems, but the program has often been described as bloatware, a term that describes unnecessary software that computer makers preinstall on your system.

Lenovo’s security response is to instruct users to simply uninstall the application, it stated:
“Lenovo was recently alerted by a cyber-security threat intelligence partner and US-CERT to a vulnerability report concerning its Lenovo Solution Center (LSC) application. We are urgently assessing the vulnerability report and will provide an update and applicable fixes as rapidly as possible. To remove the potential risk posed by this vulnerability, users can un-install the Lenovo Solution Center application using the add/remove programs function.”

This is not the first time this year that Lenovo has been the victim of security risks from its own software. In February, researchers discovered a preloaded piece of software called Superfish that essentially allowed hackers to read encrypted web-browsing data, even on-line passwords.

Lenovo, though, is not alone in introducing security flaws onto its devices through pre-installed proprietary software, and experts advise that users should un-install any software that comes with their systems that they do not use.