Lenovo, Dell, Toshiba PCs at risk from unsafe bloatware

Millions of users are potentially at risk after a handful of vulnerabilities were discovered in software preinstalled on several Lenovo, Dell and Toshiba computers and tablets. 

A proof-of-concept posted online by security researcher slipstream/RoL reveals flaws in Lenovo machines could allow the devices to be hijacked when visiting a malicious website and let an attacker run malware with system privileges.

Carnegie Mellon University's CERT late last week said in an advisory that preinstalled Lenovo software contained three vulnerabilities in its solution centre, which gives a user an overview of the system's health, security and network status.

The solution centre comes preinstalled on numerous Lenovo Think-branded consumer and business products.

The vulnerability can be triggered via scripts on malicious websites which can run code with full system privileges on victim PCs without any interaction required from users.

Two other flaws in the software mean a local user can execute arbitrary code with system privileges.

Lenovo said it was urgently assessing the vulnerability report and would provide an update and applicable fixes as soon as possible. 

It advised users to uninstall its solution centre software in the meantime.

The researcher also discovered flaws in software bundled with Toshiba and Dell devices.

Toshiba's service station, which among other things searches for software updates, can be abused to read most of the operating system's registry as a user with system privileges, according to slipstream/RoL.

On Dell machines, the preinstalled system detect function can be used to gain administrator privileges and execute arbitrary commands when an attacker feeds it a security token downloaded from the dell.com website.