Lenovo Warns Users To Upgrade Pre-Installed Tool With Severe Security Holes
from the pre-installed-problems dept.
Lenovo is advising users to upgrade to version 3.3.003 of Lenovo Solution Center (LSC), which includes fixes for two high-severity vulnerabilities in the tool. [The tool] allows users to check their system’s virus and firewall status, update their Lenovo software, perform backups, check battery health, get registration and warranty information and run hardware tests.
The CVE-2016-5249 vulnerability allows an attacker who already has control of a limited account on a PC to execute malicious code via the privileged LocalSystem account. And the CVE-2016-5248 vulnerability allows any local user to send a command to LSC.Services.SystemService in order to kill any other process on the system, privileged or not.