Millions of PCs affected by Lenovo bloatware bugs

Lenovo is urging customers to update the Solutions Centre add-on for its Windows PCs to address four high-severity vulnerabilities that could lead to total compromise of users' machines.

The Solutions Centre maintenance software is bundled with the majority of the Chinese PC maker's systems, leading to millions of users being potentially affected by the bugs.

The flaws were initially acknowledged by Lenovo on December 3 last year, with fixes posted a week after. 

However an additional flaw was discovered by Martin Rakhmanov, a researcher with security vendor Trustwave, last month, prompting Lenovo to issue further patches for the Solutions Centre on April 26.

Details of the flaw, CVE-2016-1876, are yet to be published by Trustwave.

The vulnerabilities exist in the back-end service for Lenovo Solutions Centre and could be exploited by local users to run any code at Windows SYSTEM level, which provides full access to all parts of the computer, the company said in its advisory.

The back-end service can also be exploited via a cross-site request forgery attack through websites or specially crafted URLs, allowing for remote code execution on victims' machines.

A further local privilege escalation vulnerability is also plugged with the latest set of patches for Solutions Centre.

According to Lenovo, Solutions Centre versions earlier than 3.3.0002 could be affected by the vulnerabilities and should be updated.

Lenovo's bundled software utilities have come under scrutiny in recent months after being shipped with serious vulnerabilities. 

In January this year, the SHAREit wireless file transfer tool was found to use '12345678' as the default password, allowing anyone to connect to the utility and access users' systems.

The PC vendor giant was also sharply criticised last year for shipping the Superfish adware on its systems, a move that left millions of customers open to remote attacks.