Flaw-ridden bloatware puts nearly every Lenovo PC at risk from hackers

[starbuck]

 

A security flaw in software that's preinstalled on millions of Lenovo devices lets malware run at the system-level.

 

A serious security vulnerability has been discovered in software that's installed on almost every Lenovo notebook, tablet, and PC -- potentially affecting millions of users.

 

The affected Lenovo Security Center software allows users to see the overall health of their device, from hardware and software status, network connections, and installed security features.

 

But security researchers have found a way to raise the privileges of the software, which could let an attacker gain access to the whole system, according to a soon-to-be-released blog post by security firm Trustwave.

 

In other words, a hacker can run malware at a system-wide level -- even if the app doesn't appear to be running.

 

The good news is that Lenovo quickly patched the software after details of the vulnerability were privately disclosed.

 

The computer giant rolled out the new software last week, which will automatically ask users to install when they next open the software.

 

The software, often called "bloatware," comes installed as standard on ThinkPads, ThinkPad tablets, ThinkCenter and ThinkStation, IdeaCenter and some IdeaPads, running Windows 7 and later.

 

But this often-unwanted software -- also known as "crapware" -- remains a major issue in PC and mobile circles, particularly because it's known to put system security at risk.

 

Case in point, it's the third problem that Lenovo has been forced to address in relation to using preinstalled software in the past two years.

 

A security researcher discovered a trifecta of security flaws, affecting software that's preinstalled on laptops made by Toshiba, Dell, and Lenovo.

 

The flaw similarly would have allowed an attacker to run malware at the system level, regardless of what kind of user is logged in.

A user would have to be tricked into opening a specially-crafted web page, such as through a drive-by download or a link in an email.

 

Lenovo was also caught up in the "Superfish" adware scandal last year.

The company later promised to stop bundling preinstalled bloatware on the computers and devices it sells.

 

 

Source:

http://www.zdnet.com/article/flaw-ridden-bloatware-put-nearly-every-lenovo-pc-at-risk-from-hackers/#ftag=RSSbaffb68

[Tony D]

There's no mention about anti-malware apps being able to detect this. Wonder if an anti-rootkit app would detect it. Edited May 6, 2016 by Tony D

[starbuck]

Hi Tony,

 

It's not something that can be detected like malware.

It's a flaw in the software that could be used by a hacker to plant malware.

[allheart55 Cindy E]

Here we go again with Lenovo.

I just picked a new Lenovo laptop out for my daughter-in-law's mother.

She ordered it three days ago.

[Mommalina]

Is Lenovo's reputation going to pot?

[allheart55 Cindy E]

It sure seems like it.

[starbuck]

I just picked a new Lenovo laptop out for my daughter-in-law's mother.

and I picked out a tower yesterday as a replacement for the wifes old ailing Win7 system ( that has had more illnesses than a hypochondriac )

Luckily I resisted buying it.

[allheart55 Cindy E]

Luckily I resisted buying it.

:D She didn't resist, my bad.

Luckily, she wants me to install windows 7 on it for her so it will be wiped clean anyway.