[ad_1]
Older Lenovo notebook owners should uninstall Lenovo Solution Center as soon as possible.
Pen Test Partners' security experts have discovered a critical vulnerability in the Lenovo Solution Center that could assign hacker or malware privileges to the administrator.
According to Pen Test Partners, the flaw is a crush of the Discretionary Access Control List (DACL), which means that a user with few privileges can sneak into a sensitive file by exploiting a process with elevated privileges. This is an example of "privilege escalation" attack in which a bug can be used to access resources that are normally only accessible to administrators.
In this case, an attacker could write a pseudo-file (called a physical link file) which, when executed by Lenovo Solution Center, allows access to sensitive files that it should not to be allowed to reach. From there, damaging code could be run on the system with administrator or system privileges, which is essentially an end game, as noted by Pen Test Partners.
Lenovo Solution Center is a program preinstalled on Lenovo laptops from 2011 to November 2018, which means that millions of devices could be affected. Ironically, the goal of the program is to monitor the health and safety of a Lenovo PC. Although this flaw is not so much of a concern for individual users who can quickly protect their systems, larger companies with older ThinkPad laptops and legacy software packages may react slowly.
For its part, Lenovo has issued a security statement warning users of the bug and urging them to uninstall Solution Center, which the company no longer supports.
A vulnerability reported in version 03.12.003 of Lenovo Solution Center, which is no longer supported, could allow log files to be written in non-standard locations, potentially resulting in elevated privileges. ceased support for Lenovo Solution Center and recommended that customers migrate Lenovo Vantage or Lenovo Diagnostics in April 2018, "reads the statement.
Lenovo did not specify when it had stopped sending laptops with preinstalled Solution Center. It is therefore possible that many Lenovo laptops less than one year old have unsupported software with major defects.
Lenovo has also been accused of covering its tracks. According to Pen Test Partners, after informing Lenovo of this vulnerability, the computer manufacturer would have canceled the end-of-life date of Solution Center for several months to give the impression that the feature had been removed before the release of the last version in November 2018.
"This is often the case for apps that are reaching the end of support as we continue to update them as we move to new offerings is not uncommon in the industry," said Lenovo at US newspaper The Register, when asked about this discrepancy.
If Lenovo is devious or not, the bottom line is this: if you have a Lenovo notebook manufactured between 2011 and 2018, absolutely remove the Lenovo Solution Center as soon as possible. You can do this by following this simple guide on uninstalling programs under Windows 10.
Tom's Guide has contacted Lenovo for comments. We will update this story as soon as we receive an answer.
This article appeared originally on Laptop Mag.
[ad_2]
Source link