A Lenovo flaw in a support application that typically comes pre-installed, leaves an open window for malicious code to be injected with system privileges. If this happens with malicious intentions, this would give an attacker the ability to take over the whole operating system.
why is this signficant?
- The application, Lenovo Solution Center (LSC) was created for the user to check diagnostic functions, such as presence of security features including firewalls or antivirus programs, as well as other diagnostics. A vulnerability in the supply chain once again leaves the possibility of a PC to succumb to an attacker.
- "In addition, a cross-site request forgery (CSRF) vulnerability exists that may allow exploitation of these vulnerabilities if a user opens a malicious web site or crafted URL while the LSC backend service is running on a user’s machine. The user’s computer may still be vulnerable even if the LSC user interface is not running."
- Although, there is a patch that was released-to update PC's running LSC, this vulnerability is connected to a flaw reported back in December, making Lenovo update an old advisory, due to it not being clear the first time around.
Read the full story on CSOOnline