Lenovo patches serious vulnerabilities in PC system update tool | CSO Online (http://www.csoonline.com/article/3008869/security/lenovo-patches-serious-vulnerabilities-in-pc-system-update-tool.html)
QuoteFor the third time in less than six months security issues have forced Lenovo to update one of the tools preloaded on its PCs.
Last week, the company released version 5.07.0019 of Lenovo System Update, a tool that helps users keep their computers' drivers and BIOS up to date and which was previously called ThinkVantage System Update. The new version fixes two local privilege escalation vulnerabilities discovered by researchers from security firm IOActive.
Once again, an issue requiring attention by anyone with a Lenovo system.
Vulnerability Note VU#294607 - Lenovo Solution Center LSCTaskService privilege escalation, directory traversal, and CSRF (http://www.kb.cert.org/vuls/id/294607):
QuoteThe Lenovo Solution Center application contains multiple vulnerabilities that can allow an attacker to execute arbitrary code with SYSTEM privileges.
Lenovo Solution Center - Lenovo Support (US) (https://support.lenovo.com/us/en/product_security/len_4326):
QuoteLenovo Security Advisory: LEN-4326
Summary:
Lenovo was recently alerted by a cyber-security threat intelligence partner and US-CERT to a vulnerability report concerning its Lenovo Solution Center (LSC) application. We are urgently assessing the vulnerability report and will provide an update and applicable fixes as rapidly as possible. Additional information and updates will be posted to this security advisory page as they become available.
Mitigation Strategy for Customers (what you should do to protect yourself):
To remove the potential risk posed by this vulnerability, users can uninstall the Lenovo Solution Center application using the add / remove programs function.