Some laptops and PCs from Lenovo, Dell, and Toshiba are reportedly vulnerable to attack. A vulnerability has been found in the suite of apps that these leading manufacturers pre-install on their devices. Millions of users are estimated to be affected.
A security professor who goes by the alias slipstream/ RoL has posted a proof-of-concept to demonstrate the vulnerability in the bloatware shipped by Lenovo, Dell, and Toshiba that can allow attackers to run malware at the system level.
The vulnerability can be exploited when a user visits a specially-crafted webpage. When a victim with an affected system visits the page, an attacker is able to run code with full system privileges on the system. From this point forward, an attacker can install malware and spyware on the system.
For Lenovo users, the vulnerability resides in Lenovo Solution Center, a program that is designed to let users know the system's health, security, and network status. The security researcher noted that if these devices are already affected with malicious apps, an attacker doesn't even need to visit any website to get attacked.
CERT, a non-profit United States federally funded research and development centre, wrote the following in an advisory. "By convincing a user who has launched the Lenovo Solution Center to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), an attacker may be able to execute arbitrary code with SYSTEM privileges. Additionally, a local user can execute arbitrary code with SYSTEM privileges." The organisation further urges users to uninstall Lenovo System Center.
Lenovo has acknowledged the bug in an advisory it posted last week. "We are urgently assessing the vulnerability report and will provide an update and applicable fixes as rapidly as possible. Additional information and updates will be posted to this security advisory page as they become available."
A similar vulnerability has been found in Dell System Detect program. The discovery of the program comes less than a month after the US company was found to have rogue certificate on its computers. Toshiba bundles Service Station tool on its system that can be abused in a similar fashion.