A trifecta of vulnerabilities has been found in software preinstalled on a number of Dell, Toshiba, and Lenovo consumer and enterprise PCs and tablets, affecting millions of users.
A proof-of-concept that was posted online (which we are not linking to) could allow an attacker to run malware at the system level, regardless of what kind of user is logged in.
A user can be tricked into opening a specially-crafted web page, either as a drive-by download or through an email attachment, which could allow an attacker to exploit the flaw.
The security researcher, known as slipstream/RoL, confirmed to ZDNet that he did not inform Dell, Toshiba, and Lenovo of the flaws before the the proof-of-concept code was posted online.
An advisory, posted by Carnegie Mellon University's public vulnerability database (CERT) on Thursday, said preinstalled Lenovo software ( often known as "bloatware" ) includes three vulnerabilities.
The Lenovo Solution Center, an app designed to give the user a quick overview of the system's health, security and network status, comes pre-installed on a number of Think products, including ThinkPads, ThinkPad tablets, ThinkCenter and ThinkStation, IdeaCenter and some IdeaPads, running Windows 7 and later.
A Lenovo spokesperson would not say which specific models or how many would be affected, but referred to the security advisory posted on its website, posted Thursday, which reads: "We are urgently assessing the vulnerability report and will provide an update and applicable fixes as rapidly as possible. Additional information and updates will be posted to this security advisory page as they become available."
Lenovo has not said when it will fix the vulnerabilities in the software, but said in a security advisory that uninstalling the app will remove the risk posed by the flaw.
As for Toshiba, a security vulnerability was found in the preinstalled Toshiba Service Station, which searches for software updates among other features.
According to slipstream/RoL, the app allows a logged-in user to read parts of the registry as a system user, which has higher privileges than a standard user account. He said an attacker can't read the security account manager (SAM) or bootkeys, however. He said it's possible to "bypass any specific registry permissions set."
For Dell, this is the second major security issue in as many weeks -- and both were found by the same security researcher.
slipstream/RoL said that the preinstalled Dell System Detect app, which checks a user's system for issues prior to a support call, can be crudely used to bypass a Windows security feature that escalates a user's privilege.
He said that an attacker can abuse a signed application to repeatedly give a signed User Account Control prompt, until a user gives way and allows the elevation.
It comes just a week after Dell was accused of preinstalling a security certificate that could allow an attacker to intercept traffic and conduct man-in-the-middle attacks. CERT explained at the time that attacker can create their own certificates signed by Dell, which would be trusted by any system that trusts that certificate.
Spokespeople for Dell and Toshiba did not immediately respond to an email requesting comment.
It's not clear how many PCs or tablets are affected by the flaw, but it's thought to be in the millions .
Lenovo shipped 13.5 million PCs during the third-quarter this year, according to its third-quarter earnings report, published in mid-August. But it's not clear how many Lenovo PCs and tablets are affected by the vulnerable software.
Based on IDC figures, Dell shipped more than 10.1 million PCs in the third-quarter. It's not clear how many Toshiba PCs were shipped worldwide, but it shipped about 810,000 PCs in the US during the third quarter.
Bloatware -- also known as crapware -- remains a major issue in PC and mobile circles, particularly because it's been known to compromise system security. Lenovo, which was caught up in the "Superfish" adware scandal earlier this year, promised to stop bundling preinstalled bloatware on PCs.
"Preinstalled crapware is bad, m'kay?" said the researcher.