Lenovo Warns Users To Upgrade Pre-Installed Tool With Severe Security Holes

Long-time Slashdot reader itwbennett writes: Lenovo is advising users to upgrade to version 3.3.003 of Lenovo Solution Center (LSC), which includes fixes for two high-severity vulnerabilities in the tool. [The tool] allows users to check their system's virus and firewall status, update their Lenovo software, perform backups, check battery health, get registration and warranty information and run hardware tests.

The CVE-2016-5249 vulnerability allows an attacker who already has control of a limited account on a PC to execute malicious code via the privileged LocalSystem account. And the CVE-2016-5248 vulnerability allows any local user to send a command to LSC.Services.SystemService in order to kill any other process on the system, privileged or not.

Where is it?

[Teun]

I wonder where this 'tool' is located, Kubuntu 16.04 does not show it, nor do the repositories.
Does that mean I'm safe?

Re:Where is it?

It's probably a Mac thing. I wouldn’t worry about it.

Re:Where is it?

[martiniturbide]

It is only a Windows things... yeah, I know nobody uses it anymore :)

Re:Where is it?

$ dnf search lenovo
Last metadata expiration check: 2 days, 1:20:29 ago on Thu Jun 23 23:54:58 2016.
Error: No matches found.

Yeah, I have no idea what they're talking about either.

Re:Where is it?

That program for DOS?

Third time

[campuscodi]

This is the third time this year... they should just pull the plug and get it over with

Re:Third time

[rudy_wayne]

Since it's coming from Lenovo they aren't making any money by installing it, so I really don't understand the motivation for putting useless bullshit on their computers.

Re: Third time

its supposed to make them better and safer or some shit like that.

on related note these are really not serious if you consider all the ways to run stuff as localsystem or trustedinstaller on usual windows installation. btw why the fuck do nearly all sw vendors nowadays insist making their updaters run as services on windows? its fucking annoying and makes setting up decent fw rules nearly impossible.

Re:Third time

[martiniturbide]

LSC is a basic tool to scan for hardware malfunction on the machine. It is not critical and also does not have any third party publicity. I think that since SuperFish Lenovo has been watching his back about this subject. Specially on Thinkpads the software on Windows 10 is very limited and controlled (for the moment). Here it is a list of what I have found: http://www.thinkwiki.org/wiki/...

Re:Third time

[Col.+Bloodnok]

Its purpose is to tell the user when and where to buy a new battery. It might have warranty up-selling capabilities as well, I don't know - it didn't last long on my thinkpad.

Re:Third time

[Rick+Zeman]

Since it's coming from Lenovo they aren't making any money by installing it, so I really don't understand the motivation for putting useless bullshit on their computers.

It's probably got a Chinese government back door installed with it.

Re: Third time

[AmazingRuss]

"Solution Center"

Yup, useless bullshit.

Re: Third time

[spectrum-]

it's also to let you know that your warranty is up so you know when to buy another Kenobi :p

Re:Third time

[arglebargle_xiv]

To put in a word in Lenovo's defence, it's actually quite a useful support tool, it runs periodic hardware diagnostic scans to make sure there are no problems (or potential failures), handles warranty issues, driver updates, etc, particularly useful to the large number of Lenovo business uses who can't afford to have their laptop die in the middle of something like a business trip due to a previously-undiagnosed hardware issue. If it wasn't for the endless security holes, it'd one of the few pieces of bundled vendor junk that's actually worth having.

Here it is

allows users to check their system's virus and firewall status, update their Lenovo software, perform backups, check battery health, get registration and warranty information and run hardware tests.

So, completely pointless bullshit that has no legitimate reason to exist.

Re:Here it is

just like stickers saying "Intel Inside" or "AMD powered"

Re:Here it is

[PsychoSlashDot]

allows users to check their system's virus and firewall status, update their Lenovo software, perform backups, check battery health, get registration and warranty information and run hardware tests.

So, completely pointless bullshit that has no legitimate reason to exist.

Not exactly. While the antivirus status is redundant, the rest isn't. Being notified that your warranty is about to expire is a good thing. Being notified that you haven't done a backup recently is a good thing. Being informed that the battery in your laptop is degraded is a good thing. Having something run scheduled tests of basic peripherals is better than not doing so, even though typically you'll know when there's a problem because your system stops working.

While IT-fluent people are probably doing this sort of thing on their own, the vast majority of machines are either lightly managed or not managed at all.

It's easy to mock yet another software package that is flawed. But the idea that the software is unjustified and without use is false, in most users' cases.

Re:Here it is

it's bitztream, the autism-hating Slashdot troll!

Re:Here it is

[dcooper_db9]

Most of the features are redundant in Windows

Being notified that your warranty is about to expire is a good thing

Perhaps. If you're likely to renew a warranty. Otherwise you only need to know if the warranty has expired after a failure.

Being notified that you haven't done a backup recently is a good thing.

This is built into Windows.

Being informed that the battery in your laptop is degraded is a good thing

This is important. I get a lot of users who notice that their battery doesn't last as long as it used to. I think they expect the battery to just stop working and don't really understand that they degrade slowly. But Lenovo doesn't just warn you that the battery is degraded. They tell you the battery is degraded after (I think) two years whether it is or not. They want you to buy another battery. Besides, true battery monitoring is also built into Windows.

Having something run scheduled tests of basic peripherals is better than not doing so, even though typically you'll know when there's a problem because your system stops working.

This is rarely true. With the exception of the hard drive every component I can think of will either fail or not. Being warned after it happens is not helpful. As for hard drives, they should not be tested. Stress tests, as used in the Lenovo software will accelerate degradation. Users should monitor the S.M.A.R.T. status for warning signs. I prefer to use HDD Guardian. It's licensed MPL-2.0 and the results are easy to understand.

Re:Here it is

[PsychoSlashDot]

Warranty: discovering your warranty has expired after the fact is a problem because you can't reinstate coverage quickly. Being reminded that the expiry is coming up encourages you to renew before that happens. Yes, that costs you money, but that's to your benefit.

Backup: Windows Backup is a sad sack of crap.

Battery: I'm responsible for, directly use, and own several Lenovo Thinkpad class laptops. No, they don't have anything resembling a timed false-positive battery degradation alert. This is fabricated or your experience is unusual.

Hardware tests: I did voluntarily say that hardware tests generally won't reveal anything until your system has already stopped working. As for hard drive tests... guess what... the Lenovo scheduled tests are SMART short and long tests, not exhaustive drive stress-tests.

Re:Here it is

allows users to check their system's virus and firewall status, update their Lenovo software, perform backups, check battery health, get registration and warranty information and run hardware tests.

So, completely pointless bullshit that has no legitimate reason to exist.

Not exactly. While the antivirus status is redundant, the rest isn't. Being notified that your warranty is about to expire is a good thing. Being notified that you haven't done a backup recently is a good thing. Being informed that the battery in your laptop is degraded is a good thing. Having something run scheduled tests of basic peripherals is better than not doing so, even though typically you'll know when there's a problem because your system stops working.

While IT-fluent people are probably doing this sort of thing on their own, the vast majority of machines are either lightly managed or not managed at all.

It's easy to mock yet another software package that is flawed. But the idea that the software is unjustified and without use is false, in most users' cases.

Those who haven't done a backup recently have most likely never done a backup.
Knowing when your warranty will expire would require the registration of said laptop, which many people have not done and so this tool would be flawed on its face.
Sure, knowing when your battery has degraded would be great as long as there's not a flawed bit of software checking it.....oh wait.

My warranty period expiration date could easily be sent via email, Lenovo could send information about degraded battery life and the typical lifespan of said battery again through email and could even send a white paper about backups and why they're important through, you guessed it, email.
I don't want spam software on my laptop which comes with so many issues it's not funny anymore. Spam belongs in my spam folder for a reason.

No trust since SuperFish ?

[martiniturbide]

It seems dumb to post every little security update to Lenovo software. It is like posting the Windows security fixes each week. It will be better to post this kind of news if a chaos starts because of this. Is this because we lost the trust with SuperFish? or it is because it is a Chinese company?

Re: No trust since SuperFish ?

Nolove for Lenovo :(

Re:No trust since SuperFish ?

It seems dumb to post every little security update to Lenovo software.

Yea, it's almost as if Bizx is getting paid to place this kind of thing on /.

Re: No trust since SuperFish ?

Correct. Too late Lenovo!! The damage is already done, and these attempts to regain trust are pathetic. FU and your PR campaign, cause we know you don't give two shits about "users" security.

Re:No trust since SuperFish ?

You think you're mad now? Imagine if they'd used the DEC logo for this article!

I've got a permanent fix

[zuckie13]

Uninstall all software like this put on there by the hardware vendor (goes for any vendor). My firewall software can tell me if that's on. My antivirus can tell me if that's on. I can perform my own backups thank you. There ya go, fixed forever.

Re:I've got a permanent fix

+1.

I've been using their laptops for years, but I uninstall their proprietary software first chance I get.

Re:I've got a permanent fix

[mrprogrammerman]

That's what Windows Security Center is for (reporting on AV, firewall, backups, etc.). It's better than everyone coming up with their own version of it.

Re:I've got a permanent fix

[Z00L00K]

There is a reason to do a clean install from an uncontaminated media just to make sure.

However I was a bit confused by the title of the article - when first reading I thought that Lenovo didn't want people to upgrade from a tool with security holes.

Re:I've got a permanent fix

[fph+il+quozientatore]

And who notifies you when there is a driver update? Oh, right, nobody does.

Why even keep it installed?

[carlhaagen]

Given the rather invasive abilities this "solution center" has I'm surprised people just don't uninstall that piece of malware once and for all.

No Surprise Here

[thundercattt]

Lenovo hasn't been the swiftest company in the running. Lackluster attempts at updates, knowingly selling laptops with defective motherboards, selling a tablet that they had no replacement parts for (people waited months for repairs)

Re:No Surprise Here

[Z00L00K]

Their behavior is not much different from IBM before Lenovo took over the PC business. Slow and sluggish reaction providing crappy hardware with custom OS.

Only difference was that the OS at the time of IBM was so riddled with insecurities that any added tools didn't matter.

here is the Lenovo Solution Center download

[Aryeh+Goretsky]

Hello,

Since neither the original poster or the article provided it, here's a link to the page where the latest version of the Lenovo Solution Center can be downloaded from:

https://support.lenovo.com/us/...

Note that the downloads are listed at the bottom of the page.

Regards,

Aryeh Goretsky

Re:here is the Lenovo Solution Center download

Thank you, now I can block that URL on my router to protect users from Lenovo spyware, MITM, advertising, Chinese government, and other garbage.

1st step

[Archfeld]

Lets face it, if you buy a pre-installed system these days your 1st step should always be format and install a 'clean' version of an OS, whatever flavor you choose.

Re:1st step

[Z00L00K]

CP/M-86 would be fine. At least the amount of malware is small.

CHINEASE CANT DO SOFTWARE

worth more than a peking minute unless it was stolen from the us and then it still cant do it right

No crapware

Years ago we got a fujitsu laptop and it came with no crapware. It was so fast with raw windows that we got more of them. Maybe one of the big brands could learn that no crapware == faster laptops and therefore more sales. Maybe enough to compensate for the cash they get from winzip and the like.

Do a clean install, remove this, searh for that, o

Don't use windows. Problem solved. What, exactly, does it do anyway?

I'm serious now, all kidding aside, why do people run this? If you want a commercial OS, there is Mac OS and you can even run M$ Office (because your customers expect that), and it's a real UNIX too. If you don't have those needs any Linux will do just fine. What do you need Windows for?

LOL

[Archfeld]

Will it even run on intel chips these days. I remember using as a youngster, a friends dad worked for the Navy as a physicist and we played the original Zork on it.
I read somewhere the new OS/2 called Blue Lion was coming to modern hardware. I'd really love to see it work smoothly and get full industry support. I'd smoke that pipe again.