This article is more than 1 year old

Sneaky Lenovo patches hole

Lenovo has quietly patched a hole in the software it bundles with its laptops and desktop PCs that can be exploited by malicious code to hijack the hardware.

The Lenovo Solution Center can elevate malware and other nasties on machines a leg up to system-level privileges. It has been fixed in version 3.3.002, according to this updated support page, so make sure that, or a later version, is installed. The flaw, CVE-2016-1876, was found and reported by Martin Rakhmanov of Trustwave's SpiderLabs.

In a statement, Lenovo said:

In December 2015, Lenovo posted a security advisory that acknowledged vulnerabilities in its Lenovo Solution Center (LSC) software that could be used to compromise a system through a remote privilege escalation attack. Lenovo then urgently posted fixes that addressed these vulnerabilities. Subsequently, Trustwave, an independent researcher, reported to Lenovo a separate security vulnerability in Lenovo Solution Center that could lead to an unauthorized local privilege escalation.

In keeping with industry best practices, Lenovo moved rapidly to ready a fix and on April 26 again updated its security advisory disclosing this additional vulnerability and the availability of a fix that addressed it. We recommend users update their systems to the latest Lenovo System Update version 3.3.002 that addresses all of the known security vulnerabilities.

You may remember Lenovo Solution Center from last year: in December, the PC giant's support software let malicious webpages commandeer victims' machines, and security patches were emitted for the software. ®

More about

TIP US OFF

Send us news