Lenovo: Remove our software to avoid new security bug


PC firm tells customers to dump its own kit in new security debacle

Lenovo has advised customers to uninstall its own software to fix a bug reminiscent of the company’s Superfish scandal earlier this year.

The PC maker outlined the uninstall steps for its Lenovo Solution Center, a pre-installed piece of bloatware that monitors system health and security, on a support page after its cybersecurity partner and Carnegie Mellon’s CERT security group warned it about the flaw on 3 December.

The groups said that left unfixed, the flaws could allow hackers to take over users’ computers via malicious websites. 

CERT said: “By convincing a user who has launched the Lenovo Solution Center to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), an attacker may be able to execute arbitrary code with SYSTEM privileges. Additionally, a local user can execute arbitrary code with SYSTEM privileges.”

In a statement on Lenovo’s support page, the company said a fix is on the way, but added: “The immediate interim solution, as included in our previous security advisory on this matter, is for users to uninstall LSC software from their systems.”

Security organisation Tripwire’s director of security, Tim Erlin, said that as a hardware and software firm, Lenovo’s advice to remove its own software could see customers simply pick a rival’s kit to replace it.

“We’ve blurred the line between hardware and software suppliers with companies like Lenovo, Apple, Samsung and HTC,” he said.

“These blurred-line companies have a vested interest in avoiding solutions that simply replace the vulnerable software with another vendor.”

The issue is the latest in a line of bloatware problems for Lenovo this year.

The hardware manufacturer was forced to stop shipping adware called Superfish on its consumer laptops in February, after admitting the third-party kit could give attackers access to encrypted data.

CTO Peter Hortensius was forced to apologise for the Superfish debacle.

Then in August, users discovered their Lenovo devices automatically downloaded software called Lenovo Service Engine, which always reinstalled itself when removed.