Slashdot Mirror

← Back to Stories (view on slashdot.org)

Lenovo Patches Serious Flaw In Pre-Installed Support Tool (csoonline.com)

Posted by msmash on from the catching-and-patching dept.

Reader itwbennett writes: Lenovo has made available a patch for the vulnerability in its Lenovo Solution Center, a support tool which comes pre-installed on many Lenovo laptops and desktops. The vulnerability could allow attackers to execute code with system privileges and take over computers. Users should automatically be prompted to update LSC when they open the application, but in case they aren't, they should download the latest version (3.3.002) manually from Lenovo's website. This is not the first time such a vulnerability has been found and fixed in LSC. In fact, Lenovo updated an old advisory for flaws reported in December with information about the new vulnerability, making it somewhat hard to spot.

22 comments

  1. Not a bug, a feature. by Anonymous Coward · · Score: 0

    Sincerely yours, the NSA.

    1. Re:Not a bug, a feature. by EvilSS · · Score: 1

      Sincerely yours, the 3PLA.

      Lenovo is a Chinese company, so FTFY

      --
      I browse on +1 so AC's need not respond, I won't see it.
    2. Re:Not a bug, a feature. by Anonymous Coward · · Score: 0

      It's an international company, so it's complicated. They have headquarters in both China and the US, and large part of their operation is based in the US.

  2. Comment Subject: by korgitser · · Score: 1

    What is this, a serious flaw patched about half a year after it went public?

    --
    FCKGW 09F9 42
  3. Here is an idea by Anonymous Coward · · Score: 2, Insightful

    Don't install anything other than the Operation System.

    Thank you!

    1. Re:Here is an idea by Anonymous Coward · · Score: 0

      You can't even trust that if it came from Lenovo. Lenovo ships PCs infected with software intentionally designed to make them *less secure*. Sure, people found Superfish, but how do we know what else they've messed with? I do not buy anything from Lenovo, they can't be trusted.

  4. dd if=/dev/zero of=/dev/sdb by Anonymous Coward · · Score: 1

    Step one with any newly-purchased Windows laptop: back up the recovery partition (in case it turns out I need some obscure drivers somehow not available online).

    Step two: Zero the disk.

    1. Re:dd if=/dev/zero of=/dev/sdb by Anonymous Coward · · Score: 0

      DAMN STRAIGHT!

      Seriously, it boggles my mind how many fools think they removed the crap/vulnerabilities because they used the uninstall from the control panel to remove those applications. Do you really trust those knuckleheads to uninstall their software correctly?

      "nuke it from orbit it's the only way to be sure"

      I'd even add a couple /dev/urandom passes just to make sure:
      dd if=/dev/urandom of=/dev/sda;dd if=/dev/urandom of=/dev/sda;dd if=/dev/zero of=/dev/sda

  5. "Support" Tools used to hide the lack of support by Anonymous Coward · · Score: 1

    I don't know about lenovo but Asus does not have any drivers on their website at all for my laptop. The only way to get drivers is to run their "support" program, which hasn't had any updates for me in a while. I'm keeping the laptop at 8.1 because I'm pretty sure if I upgrade I won't get any windows 10 drivers.

  6. don't upgrade by Anonymous Coward · · Score: 0

    remove this crap instead

  7. Win 10 by Anonymous Coward · · Score: 0

    Love the MS finally lets us download the OS, and there is not the special partner versions. Step 1 for a new laptop - reinstall the OS.

    1. Re:Win 10 by redback · · Score: 1

      this is also the perfect fix for new laptops running 8.

      win 10 upgrade, set to keep nothing.

  8. Fixed on Feb 2016 by martiniturbide · · Score: 1

    According to the source you need to update to version 3.3.002 which had been available since 2/10/2016. http://support.lenovo.com/us/e...

    1. Re:Fixed on Feb 2016 by martiniturbide · · Score: 1

      Opps, sorry, it seems I read something wrong. It says the fix was April.

    2. Re:Fixed on Feb 2016 by Anonymous Coward · · Score: 0

      So where is the download? The latest version I see on support.lenovo.com is the one you linked to: 3.2.004 for Windows 10, 2.8.007 for Windows 7 and 8, both from February. When I opened LSC 10 minutes ago it didn't prompt me to upgrade, now it does, so I'm getting the new version, but I still don't see it on the website.

  9. Superfish by fuzzyf · · Score: 1

    They really do not care about security. Last time it was superfish that basically removed validation for all certificates.

    And when asked they just said "We thought our customers would want that"

    Never buying Lenovo

  10. Bloatware by Anonymous Coward · · Score: 0

    You mean that garbage most of us probably already remove from the system the first time we start it up?

    1. Re:Bloatware by Anonymous Coward · · Score: 0

      If by 'remove' you mean uninstall through the Windows Control Panel, how do you know you got all of it? It's probably not completely gone, and vulnerabilities may remain.

      In fact, the only way to know if the vulnerabilities are gone, is to prove that all vulnerabilities are gone, which is impossible.

      So, that means that the only way to truly remove the vulnerabilities is to zero out the storage device (maybe dump a random first) a couple times, then install the OS from scratch.

      "nuke it from orbit it's the only way to be sure"

  11. Uninstall those helper tools! by Anonymous Coward · · Score: 0

    I generally uninstall every tool the OEM installs. Dell just had similar problems with its user assist apps. People I guess don't know you don't have to have this stuff installed.If it's needed or a tech needs to do a remote desktop fix or diagnose your PC. It can easily install this stuff when it's needed. Your PC will run so much better if you keep stuff off of it you do not need. I guarantee you'll be surprised what OEM stuff runs in the background slowing down PC boot's and taking up memory and CPU cycles. Just get rid of it!

    1. Re:Uninstall those helper tools! by plover · · Score: 2

      I have purchased a couple of well-equipped Lenovo laptops, and it's amazing just how awful their shovelware makes those big honkin' machines perform. I may not know what all that software is doing, but I do know they soak up CPU cycles like it's their last day on earth. Then I make sure it is their last day on earth.

      The most frustrating thing about it is that when you pay that much for a higher-end computer, they feel they still have the right to shovel all that shitware onto your box so they can squeeze another lousy $20 bounty out of the sale. They're paying for it, though - I've been recommending friends and family avoid Lenovo, and so far they've lost thousands of dollars worth of our business. Enjoy your $20, Lenovo. Buy yourselves a couple of beers, then go beat up your finance guy who thinks that shovelware is a smart business plan.

      --
      John
    2. Re:Uninstall those helper tools! by Anonymous Coward · · Score: 0

      Uninstalling is bad practice. You trust the idiots who created the vendor software full of vulnerabilities to uninstall it?

      Unless you zero out the storage device, you are taking unnecessary chances.

      While you are at it, don't re-install vendor provided drivers (if necessary). Go direct to the component mfg. De-package and install drivers only. Use another computer if necessary (which is zeroed after it's done with the task)