Skip to main content

Lenovo issues update fixing software vulnerabilities on many of its computers

Lenovo ThinkPad X1 Yoga
Bill Roberson/Digital Trends
Information security company Trustwave Holdings provided Digital Trends with an early glimpse into an upcoming blog set to be published on Friday afternoon, stating that the firm has discovered multiple vulnerabilities in the Lenovo Solution Center software that’s pre-installed on most Lenovo products including ThinkPad, ThinkPad Tablet, ThinkCentre and ThinkStation, IdeaCentre, and select Ideapad laptops.

The report was provided by Trustwave’s Martin Rakhmanov, and reveals that the vulnerabilities in this specific Lenovo software suite allows “unprivileged” local users to run arbitrary code with the highest system-level privileges. Typically, only the administrator has full system access, but the problem allows any non-administrator account on the computer to be used to hack the system.

Recommended Videos

The exploits were discovered in Lenovo Solution Center version 2.8.006 but affects all versions prior to 3.3.0002. Hackers can simply open up the Command Prompt to launch the Lenovo Solution Center service, or launch the Lenovo System Health and Diagnostics application through the Control Panel. After that, the hackers can enter a specific URL in any web browser and pull up the Device Manager running as LocalSystem instead of the current non-administrative user.

Please enable Javascript to view this content

With Device Manager now loaded, hackers can install a new “driver” that will execute whatever code they choose in user mode or kernel mode. However, the report said that the kernel mode drivers must be signed by default whereas the user mode drivers can run as a LocalService account. To execute the code, hackers must create a “dummy” driver with an INF file that points back to a malicious DLL file stored on the hard drive.

That said, hackers merely use the “Add legacy hardware” option in Device Manager, select “Install the hardware that I manually select from a list (Advanced),” then “Show All Devices,” and finally “Have Disk.” The hackers then locate the INF file and agree to install non-verified driver software.

According to the report, Trustwave contacted Lenovo about the issue with Lenovo Solution Center on January 11. Subsequently, a patch was released by Lenovo on April 26. Lenovo has provided a warning page here that explains the situation and adds that hackers can attack the vulnerable PC remotely as well. The company also points out that while Lenovo Solution Center may not be actively running on the screen, the vulnerable backend service process continues to run.

“A cross-site request forgery (CSRF) vulnerability exists that may allow exploitation of these vulnerabilities if a user opens a malicious web site or crafted URL while the LSC backend service is running on a user’s machine.  The user’s computer may still be vulnerable even if the LSC user interface is not running,” the warning current states.

The release history shows that 3.3.002 is the latest version of Lenovo Solution Center. Customers are encouraged to upgrade the software by clicking “Yes” or “Update Now” when prompted on the program’s user interface, depending on the version currently installed.

As previously stated, Lenovo installs this software on most of its PCs. The suite serves as a hub for monitoring the system’s health and security such as firewall status, antivirus status, battery health, and more. It joins a number of other software components Lenovo loves to install like Lenovo App Shop, Lenovo Companion, Lenovo Reach, and so on.

This isn’t the first time Lenovo has experienced troubles with its pre-installed software. The company faced a lawsuit early last year after it pre-installed the SuperFish “man-in-the-middle” adware on a number of its consumer-based PCs. SuperFish not only injects suggested ads into search results, but can cause severe security issues. The company admitted to making a mistake and distributed fixes that removed applications and certificates based on SuperFish from purchased Lenovo solutions. Uninstall instructions were also provided here.

We reached out to Lenovo for a comment but have yet to receive a reply.

Kevin Parrish
Former Digital Trends Contributor
Kevin started taking PCs apart in the 90s when Quake was on the way and his PC lacked the required components. Since then…
Intel’s promised Arrow Lake autopsy details up to 30% loss in performance
The Core Ultra 9 285K socketed into a motherboard.

Intel's Arrow Lake CPUs didn't make it on our list of the best processors when they released earlier this year. As you can read in our Core Ultra 9 285K review, Intel's latest desktop offering struggled to keep pace with last-gen options, particularly in games, and showed strange behavior in apps like Premiere Pro. Now, Intel says it has fixed the issues with its Arrow Lake range, which accounted for up to a 30% loss in real-world performance compared to Intel's in-house testing.

The company identified five issues with the performance of Arrow Lake, four of which are resolved now. The latest BIOS and Windows Updates (more details on those later in this story) will restore Arrow Lake processors to their expected level of performance, according to Intel, while a new firmware will offer additional performance improvements. That firmware is expected to release in January, pushing beyond the baseline level of performance Intel expected out of Arrow Lake.

Read more
You can get this 40-inch LG UltraWide 5K monitor at $560 off if you hurry
A woman using the LG UltraWide 40WP95C-W 5K monitor.

If you need a screen to go with the upgrade that you made with desktop computer deals, and you're willing to spend for a top-of-the-line display, then you may want to set your sights on the LG 40WP95C-W UltraWide curved 5K monitor. From its original price of $1,800, you can get it for $1,240 from Walmart for huge savings of $560, or for $1,275 from Amazon for a $525 discount. You should complete your purchase quickly if you're interested though, as there's no telling when the offers for this monitor will expire.

Why you should buy the LG 40WP95C-W UltraWide curved 5K monitor
5K monitors are highly recommended for serious creative professionals, such as graphic designers and filmmakers, for their extremely sharp details and precise colors, and the LG 40WP95C-W UltraWide curved 5K monitor is an excellent choice. We've tagged it as the best ultrawide 5K monitor in our roundup of the best 5K monitors, with its huge 40-inch curved screen featuring 5120 x 2160 resolution, 98% coverage of the DCI-P3 spectrum, and support for HDR10 providing striking visuals that you won't enjoy from most of the other options in the market.

Read more
Generative-AI-powered video editing is coming to Instagram
Instagram on iPhone against a colorful background.

Editing your Instagram videos will soon be as simple as typing out a text prompt, thanks to a new generative AI tool the company hopes to release in 2025, CEO Adam Mosseri announced Thursday.

The upcoming tool, which leverages Meta's Movie Gen model, will enable users to "change nearly any aspect of your videos," Mosseri said during his preview demonstration. Those changes range from subtle modifications, like adding a gold chain to his existing outfit or a hippo in the background, to wholesale alterations including swapping his wardrobe or giving himself a felt, Muppet-like appearance.

Read more