Lenovo Warns Users To Upgrade Pre-Installed Tool With Severe Security Holes

Long-time Slashdot reader itwbennett writes: Lenovo is advising users to upgrade to version 3.3.003 of Lenovo Solution Center (LSC), which includes fixes for two high-severity vulnerabilities in the tool. [The tool] allows users to check their system's virus and firewall status, update their Lenovo software, perform backups, check battery health, get registration and warranty information and run hardware tests.

The CVE-2016-5249 vulnerability allows an attacker who already has control of a limited account on a PC to execute malicious code via the privileged LocalSystem account. And the CVE-2016-5248 vulnerability allows any local user to send a command to LSC.Services.SystemService in order to kill any other process on the system, privileged or not.

Here it is

allows users to check their system's virus and firewall status, update their Lenovo software, perform backups, check battery health, get registration and warranty information and run hardware tests.

So, completely pointless bullshit that has no legitimate reason to exist.

Re:Here it is

[PsychoSlashDot]

allows users to check their system's virus and firewall status, update their Lenovo software, perform backups, check battery health, get registration and warranty information and run hardware tests.

So, completely pointless bullshit that has no legitimate reason to exist.

Not exactly. While the antivirus status is redundant, the rest isn't. Being notified that your warranty is about to expire is a good thing. Being notified that you haven't done a backup recently is a good thing. Being informed that the battery in your laptop is degraded is a good thing. Having something run scheduled tests of basic peripherals is better than not doing so, even though typically you'll know when there's a problem because your system stops working.

While IT-fluent people are probably doing this sort of thing on their own, the vast majority of machines are either lightly managed or not managed at all.

It's easy to mock yet another software package that is flawed. But the idea that the software is unjustified and without use is false, in most users' cases.