Lenovo has fixed two high-severity vulnerabilities in the Lenovo Solution Center support tool that is preinstalled on many laptop and desktop PCs. The flaws could allow attackers to take over computers and terminate antivirus processes.

Lenovo Solution Center allows users to check their system's virus and firewall status, update their Lenovo software, perform backups, check battery health, get registration and warranty information and run hardware tests. Privilege escalation flaws like this one cannot be used by themselves to compromise computers, but are often used in exploit chains.

Lenovo has urged users to uninstall bloatware bundled on Windows 10 devices by the company after critical security holes were discovered. 

The Chinese PC maker said in a security advisory a vulnerability within the company's Lenovo Accelerator Application software is a "high severity" problem which could give attackers the avenue to launch man-in-the-middle attacks against users. MITM attacks occur when a vulnerable machine has been infected with malware which contains surveillance capabilities or a vulnerable web browser is communicating with an insecure server. This type of attack may not show visible signs.

A security researcher has discovered a number of vulnerabilities in Lenovo’s SHAREit app, the worst being the use of “12345678” as a hard-coded, default password. The problems have been patched in the software’s latest release.

SHAREit is an app found on many of Lenovo’s products to allow users to share files across devices. Some ThinkPad, and IdeaPad computers, along with Lenovo smartphones, were impacted by the bug. Core Security found four vulnerabilities in the app but the password issues stick out the most. In one of its advisories, Core Security found that when the app is receiving files, it sets a password on a Wi-Fi hotspot.

A trifecta of vulnerabilities has been found in software preinstalled on a number of Dell, Toshiba, and Lenovo consumer and enterprise PCs and tablets, affecting millions of users.

A proof-of-concept that was posted online could allow an attacker to run malware at the system level, regardless of what kind of user is logged in. A user can be tricked into opening a specially-crafted web page, either as a drive-by download or through an email attachment, which could allow an attacker to exploit the flaw. The security researcher confirmed that he did not inform Dell, Toshiba, and Lenovo of the flaws before the the proof-of-concept code was posted online.

Lenovo seems to be testing the boundaries of trust. First came the Superfish scandal where they were found to be pre-loading ad software that was so poorly implemented that it left victims/customers vulnerable to serious security flaws.

Then, Lenovo software was discovered on a fresh install of the retail edition of Windows. Lenovo had been modifying the BIOS, to insure that, no matter what a customer did, their software got installed. And, this was software referred to as "crapware". That the software was buggy, just made a bad situation worse. In the end, Lenovo updated the BIOS not to muck around with the installed copy of Windows.

A recently uncovered feature – which had been swept under the rug – allowed new Lenovo laptops to use new Windows features to install the company’s software and tools even if the computer was wiped.

The users discovered the issue in May when using a new Lenovo laptop that automatically and covertly overwrote a system file on every boot, which downloaded a Lenovo updater and installed software automatically, even if Windows was reinstalled from a DVD. The only problem is that nobody actually asked for this software, and it persisted between clean installs of Windows. Lenovo was essentially exploiting a rootkit on its own laptops to ensure its software persists if wiped.

Three months after Lenovo was called out for installing dangerous software onto its computers, the world's largest PC manufacturer has once again been accused of lax security measures.

Security firm reports that it discovered major vulnerabilities in Lenovo's update system that could allow hackers to bypass validation checks, replace legitimate Lenovo programs with malicious software, and run commands from afar. Through one of the vulnerabilities, IOActive researchers explained that attackers could create a fake certificate authority to sign executables, allowing malicious software to masquerade as official Lenovo software.

Lenovo, the largest PC manufacturer in world, admitted to pre-loading the Superfish adware on some consumer PCs. Lenovo has been accused of fatally compromising user security by installing an adware application on all its Windows computers as they leave the factory.

Unhappy customers are now dragging the company to court on the matter. A proposed class-action suit was filed late last week against Lenovo and Superfish, which charges both companies with “fraudulent” business practices and of making Lenovo PCs vulnerable to malware and malicious attacks by pre-loading the adware. The lawsuit was filed after Lenovo admitted to pre-loading Superfish.

Lenovo, the largest PC manufacturer in world, has been accused of fatally compromising user security by installing an adware application on all its Windows computers as they leave the factory.

The software purports to offer users a “visual search” experience. In actual fact, it injects third-party advertisements into Google search results and websites, without asking the user. In order to place adverts on websites served to the user over an encrypted connection, as Google does by default, Lenovo owners report that Superfish software also breaks social security used by every computer to access the internet privately.