Lenovo Patches Serious Flaw In Pre-Installed Support Tool

Reader itwbennett writes: Lenovo has made available a patch for the vulnerability in its Lenovo Solution Center, a support tool which comes pre-installed on many Lenovo laptops and desktops. The vulnerability could allow attackers to execute code with system privileges and take over computers. Users should automatically be prompted to update LSC when they open the application, but in case they aren't, they should download the latest version (3.3.002) manually from Lenovo's website. This is not the first time such a vulnerability has been found and fixed in LSC. In fact, Lenovo updated an old advisory for flaws reported in December with information about the new vulnerability, making it somewhat hard to spot.

Re:

[EvilSS]

Sincerely yours, the 3PLA.

Lenovo is a Chinese company, so FTFY

Comment Subject:

[korgitser]

What is this, a serious flaw patched about half a year after it went public?

Here is an idea

[Anonymous Coward]

Don't install anything other than the Operation System.

Thank you!

dd if=/dev/zero of=/dev/sdb

[Anonymous Coward]

Step one with any newly-purchased Windows laptop: back up the recovery partition (in case it turns out I need some obscure drivers somehow not available online).

Step two: Zero the disk.

"Support" Tools used to hide the lack of support

[Anonymous Coward]

I don't know about lenovo but Asus does not have any drivers on their website at all for my laptop. The only way to get drivers is to run their "support" program, which hasn't had any updates for me in a while. I'm keeping the laptop at 8.1 because I'm pretty sure if I upgrade I won't get any windows 10 drivers.

Re:

[redback]

this is also the perfect fix for new laptops running 8.

win 10 upgrade, set to keep nothing.

Fixed on Feb 2016

[martiniturbide]

According to the source you need to update to version 3.3.002 which had been available since 2/10/2016. http://support.lenovo.com/us/e... [lenovo.com]

Re:

[martiniturbide]

Opps, sorry, it seems I read something wrong. It says the fix was April.

Superfish

[fuzzyf]

They really do not care about security. Last time it was superfish that basically removed validation for all certificates.

And when asked they just said "We thought our customers would want that"

Never buying Lenovo

Re:

[plover]

I have purchased a couple of well-equipped Lenovo laptops, and it's amazing just how awful their shovelware makes those big honkin' machines perform. I may not know what all that software is doing, but I do know they soak up CPU cycles like it's their last day on earth. Then I make sure it is their last day on earth.

The most frustrating thing about it is that when you pay that much for a higher-end computer, they feel they still have the right to shovel all that shitware onto your box so they can squeeze