Lenovo Warns Users To Upgrade Pre-Installed Tool With Severe Security Holes

Long-time Slashdot reader itwbennett writes: Lenovo is advising users to upgrade to version 3.3.003 of Lenovo Solution Center (LSC), which includes fixes for two high-severity vulnerabilities in the tool. [The tool] allows users to check their system's virus and firewall status, update their Lenovo software, perform backups, check battery health, get registration and warranty information and run hardware tests.

The CVE-2016-5249 vulnerability allows an attacker who already has control of a limited account on a PC to execute malicious code via the privileged LocalSystem account. And the CVE-2016-5248 vulnerability allows any local user to send a command to LSC.Services.SystemService in order to kill any other process on the system, privileged or not.

Where is it?

[Teun]

I wonder where this 'tool' is located, Kubuntu 16.04 does not show it, nor do the repositories.
Does that mean I'm safe?

Re:

[martiniturbide]

It is only a Windows things... yeah, I know nobody uses it anymore :)

Third time

[campuscodi]

This is the third time this year... they should just pull the plug and get it over with

Re:

[rudy_wayne]

Since it's coming from Lenovo they aren't making any money by installing it, so I really don't understand the motivation for putting useless bullshit on their computers.

Re: Third time

[AmazingRuss]

"Solution Center"

Yup, useless bullshit.

Re:

[martiniturbide]

LSC is a basic tool to scan for hardware malfunction on the machine. It is not critical and also does not have any third party publicity. I think that since SuperFish Lenovo has been watching his back about this subject. Specially on Thinkpads the software on Windows 10 is very limited and controlled (for the moment). Here it is a list of what I have found: http://www.thinkwiki.org/wiki/... [thinkwiki.org]

Re:

[Col. Bloodnok]

Its purpose is to tell the user when and where to buy a new battery. It might have warranty up-selling capabilities as well, I don't know - it didn't last long on my thinkpad.

Re: Third time

[spectrum-]

it's also to let you know that your warranty is up so you know when to buy another Kenobi :p

Re:

[Rick Zeman]

Since it's coming from Lenovo they aren't making any money by installing it, so I really don't understand the motivation for putting useless bullshit on their computers.

It's probably got a Chinese government back door installed with it.

Re:

[arglebargle_xiv]

To put in a word in Lenovo's defence, it's actually quite a useful support tool, it runs periodic hardware diagnostic scans to make sure there are no problems (or potential failures), handles warranty issues, driver updates, etc, particularly useful to the large number of Lenovo business uses who can't afford to have their laptop die in the middle of something like a business trip due to a previously-undiagnosed hardware issue. If it wasn't for the endless security holes, it'd one of the few pieces of bund

Here it is

[Anonymous Coward]

allows users to check their system's virus and firewall status, update their Lenovo software, perform backups, check battery health, get registration and warranty information and run hardware tests.

So, completely pointless bullshit that has no legitimate reason to exist.

Re:Here it is

[PsychoSlashDot]

allows users to check their system's virus and firewall status, update their Lenovo software, perform backups, check battery health, get registration and warranty information and run hardware tests.

So, completely pointless bullshit that has no legitimate reason to exist.

Not exactly. While the antivirus status is redundant, the rest isn't. Being notified that your warranty is about to expire is a good thing. Being notified that you haven't done a backup recently is a good thing. Being informed that the battery in your laptop is degraded is a good thing. Having something run scheduled tests of basic peripherals is better than not doing so, even though typically you'll know when there's a problem because your system stops working.

While IT-fluent people are probably doing this sort of thing on their own, the vast majority of machines are either lightly managed or not managed at all.

It's easy to mock yet another software package that is flawed. But the idea that the software is unjustified and without use is false, in most users' cases.

Re:

[dcooper_db9]

Most of the features are redundant in Windows

Being notified that your warranty is about to expire is a good thing

Perhaps. If you're likely to renew a warranty. Otherwise you only need to know if the warranty has expired after a failure.

Being notified that you haven't done a backup recently is a good thing.

This is built into Windows.

Being informed that the battery in your laptop is degraded is a good thing

This is important. I get a lot of users who notice that their battery doesn't last as long as it used to. I think they expect the battery to just stop working and don't really understand that they degrade slowly. But Lenovo doesn't just warn you that the battery is degraded. They tell you the battery is degraded

Re:

[PsychoSlashDot]

Warranty: discovering your warranty has expired after the fact is a problem because you can't reinstate coverage quickly. Being reminded that the expiry is coming up encourages you to renew before that happens. Yes, that costs you money, but that's to your benefit.

Backup: Windows Backup is a sad sack of crap.

Battery: I'm responsible for, directly use, and own several Lenovo Thinkpad class laptops. No, they don't have anything resembling a timed false-positive battery degradation alert. This is fabri

No trust since SuperFish ?

[martiniturbide]

It seems dumb to post every little security update to Lenovo software. It is like posting the Windows security fixes each week. It will be better to post this kind of news if a chaos starts because of this. Is this because we lost the trust with SuperFish? or it is because it is a Chinese company?

I've got a permanent fix

[zuckie13]

Uninstall all software like this put on there by the hardware vendor (goes for any vendor). My firewall software can tell me if that's on. My antivirus can tell me if that's on. I can perform my own backups thank you. There ya go, fixed forever.

Re:

[mrprogrammerman]

That's what Windows Security Center is for (reporting on AV, firewall, backups, etc.). It's better than everyone coming up with their own version of it.

Re:

[Z00L00K]

There is a reason to do a clean install from an uncontaminated media just to make sure.

However I was a bit confused by the title of the article - when first reading I thought that Lenovo didn't want people to upgrade from a tool with security holes.

Re:

[fph il quozientatore]

And who notifies you when there is a driver update? Oh, right, nobody does.

Why even keep it installed?

[carlhaagen]

Given the rather invasive abilities this "solution center" has I'm surprised people just don't uninstall that piece of malware once and for all.

No Surprise Here

[thundercattt]

Lenovo hasn't been the swiftest company in the running. Lackluster attempts at updates, knowingly selling laptops with defective motherboards, selling a tablet that they had no replacement parts for (people waited months for repairs)

Re:

[Z00L00K]

Their behavior is not much different from IBM before Lenovo took over the PC business. Slow and sluggish reaction providing crappy hardware with custom OS.

Only difference was that the OS at the time of IBM was so riddled with insecurities that any added tools didn't matter.

here is the Lenovo Solution Center download

[Aryeh Goretsky]

Hello,

Since neither the original poster or the article provided it, here's a link to the page where the latest version of the Lenovo Solution Center can be downloaded from:

https://support.lenovo.com/us/... [lenovo.com]

Note that the downloads are listed at the bottom of the page.

Regards,

Aryeh Goretsky

1st step

[Archfeld]

Lets face it, if you buy a pre-installed system these days your 1st step should always be format and install a 'clean' version of an OS, whatever flavor you choose.

Re:

[Z00L00K]

CP/M-86 would be fine. At least the amount of malware is small.

LOL

[Archfeld]

Will it even run on intel chips these days. I remember using as a youngster, a friends dad worked for the Navy as a physicist and we played the original Zork on it.
I read somewhere the new OS/2 called Blue Lion was coming to modern hardware. I'd really love to see it work smoothly and get full industry support. I'd smoke that pipe again.