SafeUM
Home Blog Services Download Help About Recharge

Axarhöfði 14, 110 Reykjavik, Iceland

Iceland - 2015
SafeUM
Blog
Services
Download
Help
About
Recharge
Menu
Archive
TOP Security!
9 Dec 2015

Dell, Toshiba, and Lenovo PCs at risk of bloatware security flaws

A trifecta of vulnerabilities has been found in software preinstalled on a number of Dell, Toshiba, and Lenovo consumer and enterprise PCs and tablets, affecting millions of users.

A proof-of-concept that was posted online (which we are not linking to) could allow an attacker to run malware at the system level, regardless of what kind of user is logged in.

A user can be tricked into opening a specially-crafted web page, either as a drive-by download or through an email attachment, which could allow an attacker to exploit the flaw. The security researcher, known as slipstream/RoL, confirmed that he did not inform Dell, Toshiba, and Lenovo of the flaws before the the proof-of-concept code was posted online. An advisory, posted by Carnegie Mellon University's public vulnerability database (CERT) on Thursday, said preinstalled Lenovo software ( often known as "bloatware" ) includes three vulnerabilities.

The Lenovo Solution Center, an app designed to give the user a quick overview of the system's health, security and network status, comes pre-installed on a number of Think products, including ThinkPads, ThinkPad tablets, ThinkCenter and ThinkStation, IdeaCenter and some IdeaPads, running Windows 7 and later.

A Lenovo spokesperson would not say which specific models or how many would be affected, but referred to the security advisory posted on its website, posted Thursday, which reads: "We are urgently assessing the vulnerability report and will provide an update and applicable fixes as rapidly as possible. Additional information and updates will be posted to this security advisory page as they become available." Lenovo has not said when it will fix the vulnerabilities in the software, but said in a security advisory that uninstalling the app will remove the risk posed by the flaw.

As for Toshiba, a security vulnerability was found in the preinstalled Toshiba Service Station, which searches for software updates among other features. According to slipstream/RoL, the app allows a logged-in user to read parts of the registry as a system user, which has higher privileges than a standard user account. He said an attacker can't read the security account manager (SAM) or bootkeys, however. He said it's possible to "bypass any specific registry permissions set."

For Dell, this is the second major security issue in as many weeks -- and both were found by the same security researcher. slipstream/RoL said that the preinstalled Dell System Detect app, which checks a user's system for issues prior to a support call, can be crudely used to bypass a Windows security feature that escalates a user's privilege. He said that an attacker can abuse a signed application to repeatedly give a signed User Account Control prompt, until a user gives way and allows the elevation.

It comes just a week after Dell was accused of preinstalling a security certificate that could allow an attacker to intercept traffic and conduct man-in-the-middle attacks. CERT explained at the time that attacker can create their own certificates signed by Dell, which would be trusted by any system that trusts that certificate. Spokespeople for Dell and Toshiba did not immediately respond to an email requesting comment. It's not clear how many PCs or tablets are affected by the flaw, but it's thought to be in the millions.

Lenovo shipped 13.5 million PCs during the third-quarter this year, according to its third-quarter earnings report, published in mid-August. But it's not clear how many Lenovo PCs and tablets are affected by the vulnerable software. Based on IDC figures, Dell shipped more than 10.1 million PCs in the third-quarter. It's not clear how many Toshiba PCs were shipped worldwide, but it shipped about 810,000 PCs in the US during the third quarter.

Bloatware -- also known as crapware -- remains a major issue in PC and mobile circles, particularly because it's been known to compromise system security. Lenovo, which was caught up in the "Superfish" adware scandal earlier this year, promised to stop bundling preinstalled bloatware on PCs.

Tags:
information leaks Lenovo Dell Toshiba
Source:
ZDNet
2160
Other NEWS
3 Jul 2020 safeum news imgage An encrypted messaging service has been infiltrated by police
4 May 2020 safeum news imgage Two-Factor Authentication ​What Is It and Why You Should Use It
12 Dec 2019 safeum news imgage Encryption is under threat - this is how it affects you
4 Nov 2019 safeum news imgage Should Big Decisions Be Based on Data or Your Intuition?
7 Jun 2018 safeum news imgage VPNFilter malware infecting 500,000 devices is worse than we thought
4 Jun 2018 safeum news imgage Hackers target Booking.com in criminal bid to steal hundreds of thousands from customers
1 Jun 2018 safeum news imgage Operator of World's Top Internet Hub Sues German Spy Agency
30 May 2018 safeum news imgage US says North Korea behind malware attacks
29 May 2018 safeum news imgage Facebook and Google targeted as first GDPR complaints filed
25 May 2018 safeum news imgage A new reason to not buy these cheap Android devices
24 May 2018 safeum news imgage Flaws in smart pet devices, apps could come back to bite owners
23 May 2018 safeum news imgage Google sued for 'clandestine tracking' of 4.4m UK iPhone users' browsing data
21 May 2018 safeum news imgage LocationSmart reportedly leaked phone location data onto the web
18 May 2018 safeum news imgage The SEC created its own scammy ICO to teach investors a lesson
17 May 2018 safeum news imgage Thieves suck millions out of Mexican banks in transfer heist
All news
SafeUM
Confidential Terms of Use Our technologies Company
Follow us
Download
SafeUM © Safe Universal Messenger

Axarhöfði 14,
110 Reykjavik, Iceland

Iceland - 2015