Lenovo Warns Users To Upgrade Pre-Installed Tool With Severe Security Holes

Long-time Slashdot reader itwbennett writes: Lenovo is advising users to upgrade to version 3.3.003 of Lenovo Solution Center (LSC), which includes fixes for two high-severity vulnerabilities in the tool. [The tool] allows users to check their system's virus and firewall status, update their Lenovo software, perform backups, check battery health, get registration and warranty information and run hardware tests.

The CVE-2016-5249 vulnerability allows an attacker who already has control of a limited account on a PC to execute malicious code via the privileged LocalSystem account. And the CVE-2016-5248 vulnerability allows any local user to send a command to LSC.Services.SystemService in order to kill any other process on the system, privileged or not.

Here it is

allows users to check their system's virus and firewall status, update their Lenovo software, perform backups, check battery health, get registration and warranty information and run hardware tests.

So, completely pointless bullshit that has no legitimate reason to exist.

Re:Here it is

[PsychoSlashDot]

allows users to check their system's virus and firewall status, update their Lenovo software, perform backups, check battery health, get registration and warranty information and run hardware tests.

So, completely pointless bullshit that has no legitimate reason to exist.

Not exactly. While the antivirus status is redundant, the rest isn't. Being notified that your warranty is about to expire is a good thing. Being notified that you haven't done a backup recently is a good thing. Being informed that the battery in your laptop is degraded is a good thing. Having something run scheduled tests of basic peripherals is better than not doing so, even though typically you'll know when there's a problem because your system stops working.

While IT-fluent people are probably doing this sort of thing on their own, the vast majority of machines are either lightly managed or not managed at all.

It's easy to mock yet another software package that is flawed. But the idea that the software is unjustified and without use is false, in most users' cases.

Re:Third time

[rudy_wayne]

Since it's coming from Lenovo they aren't making any money by installing it, so I really don't understand the motivation for putting useless bullshit on their computers.

No trust since SuperFish ?

[martiniturbide]

It seems dumb to post every little security update to Lenovo software. It is like posting the Windows security fixes each week. It will be better to post this kind of news if a chaos starts because of this. Is this because we lost the trust with SuperFish? or it is because it is a Chinese company?

I've got a permanent fix

[zuckie13]

Uninstall all software like this put on there by the hardware vendor (goes for any vendor). My firewall software can tell me if that's on. My antivirus can tell me if that's on. I can perform my own backups thank you. There ya go, fixed forever.

here is the Lenovo Solution Center download

[Aryeh+Goretsky]

Hello,

Since neither the original poster or the article provided it, here's a link to the page where the latest version of the Lenovo Solution Center can be downloaded from:

https://support.lenovo.com/us/...

Note that the downloads are listed at the bottom of the page.

Regards,

Aryeh Goretsky

1st step

[Archfeld]

Lets face it, if you buy a pre-installed system these days your 1st step should always be format and install a 'clean' version of an OS, whatever flavor you choose.