In brief Lenovo laptops and PCs can be hijacked by visiting a malicious website – and Dell and Toshiba machines suffer vulnerabilities, too, we're told.
If you're running the Lenovo Solution Center bundled with Lenovo gear, and you browse by an evil webpage, scripts on that page can run code with full system privileges on your computer, allowing them to install malware, spy on you, and cause other havoc. Any programs or software nasties already on your machine can exploit Lenovo Solution Center to gain admin access, and therefore full control, without you lifting a finger.
The vulnerabilities were discovered by infosec bod
Slipstream – previously on these pages for discovering security holes
in Dell and
UK school IT admin software. The US CERT
has issued an alert about the Lenovo holes, and the Chinese giant
has urged people to uninstall its Solution Center as soon as possible.
"By convincing a user who has launched the Lenovo Solution Center to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), an attacker may be able to execute arbitrary code with SYSTEM privileges. Additionally, a local user can execute arbitrary code with SYSTEM privileges," said CERT, which is backed by the US Department of Homeland Security.
