Flaw-ridden bloatware puts nearly every Lenovo PC at risk from hackers

A security flaw in software that's preinstalled on millions of Lenovo devices lets malware run at the system-level.
Written by Zack Whittaker, Contributor
(Image: CNET/CBS Interactive)

A serious security vulnerability has been discovered in software that's installed on almost every Lenovo notebook, tablet, and PC -- potentially affecting millions of users.

The affected Lenovo Security Center software allows users to see the overall health of their device, from hardware and software status, network connections, and installed security features.

But security researchers have found a way to raise the privileges of the software, which could let an attacker gain access to the whole system, according to a soon-to-be-released blog post by security firm Trustwave.

In other words, a hacker can run malware at a system-wide level -- even if the app doesn't appear to be running.

The good news is that Lenovo quickly patched the software after details of the vulnerability were privately disclosed.

The computer giant rolled out the new software last week, which will automatically ask users to install when they next open the software.

The software, often called "bloatware," comes installed as standard on ThinkPads, ThinkPad tablets, ThinkCenter and ThinkStation, IdeaCenter and some IdeaPads, running Windows 7 and later.

But this often-unwanted software -- also known as "crapware" -- remains a major issue in PC and mobile circles, particularly because it's known to put system security at risk.

Case in point, it's the third problem that Lenovo has been forced to address in relation to using preinstalled software in the past two years.

A security researcher discovered a trifecta of security flaws, affecting software that's preinstalled on laptops made by Toshiba, Dell, and Lenovo.

The flaw similarly would have allowed an attacker to run malware at the system level, regardless of what kind of user is logged in. A user would have to be tricked into opening a specially-crafted web page, such as through a drive-by download or a link in an email.

Lenovo was also caught up in the "Superfish" adware scandal last year. The company later promised to stop bundling preinstalled bloatware on the computers and devices it sells.

Editorial standards