Lenovo laptops on display at the company's headquarters in Beijing.
Photograph by Tomohiro Ohsumi—Bloomberg via Getty Images

Lenovo asks its customers to uninstall its own software to fix the problem.

By Kif Leswing
December 8, 2015

Certain Lenovo computers can be hijacked by malicious websites because of security flaws in software that comes preinstalled from the factory. The world’s biggest PC maker issued a workaround for the problem Tuesday.

The security issue was first published by Carnegie Mellon’s Computer Emergency Readiness Team. From the vulnerability note:

By convincing a user who has launched the Lenovo Solution Center to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), an attacker may be able to execute arbitrary code with SYSTEM privileges. Additionally, a local user can execute arbitrary code with SYSTEM privileges.

According to the warning, Lenovo’s software contains three vulnerabilities that hackers could exploit to run their own code on an affected Lenovo computer.

The company has responded by instructing its users to uninstall Lenovo Solution Center, which comes on many Lenovo laptops and desktops. The software provides a dashboard for users to monitor system health and, ironically, security, but the program has been called bloatware, a term that describes unnecessary software that computer makers preinstall on your system.

Lenovo’s response instructs users to simply uninstall the program:

Lenovo was recently alerted by a cyber-security threat intelligence partner and US-CERT to a vulnerability report concerning its Lenovo Solution Center (LSC) application. We are urgently assessing the vulnerability report and will provide an update and applicable fixes as rapidly as possible. To remove the potential risk posed by this vulnerability, users can uninstall the Lenovo Solution Center application using the add/remove programs function.

This is the third time this year that Lenovo LNVGY has landed in hot water because of security risks stemming from its preinstalled software. In February, researchers discovered a preloaded piece of software called Superfish that essentially allowed hackers to read encrypted web-browsing data, even online passwords. When Superfish worked correctly, it injected ads on websites like Google. “We messed up badly,” Lenovo CTO Peter Hortensius admitted earlier this year.

In August, Lenovo computers were discovered automatically downloading a piece of software called Lenovo Service Engine, which would reinstall itself even if the computer was wiped and Windows was reinstalled.

Lenovo posted its first quarterly loss in six years in November. The company said PC sales declined 17% year over year during the third quarter, but it’s hard to tell how much of that is due to its recent security fiascos as the entire PC industry is currently contracting.

Lenovo’s not the only PC maker guilty of making its systems’ security weaker by preinstalling bloatware. The researcher who discovered the Lenovo Solution Center issue also pointed to two “lower-impact” flaws in support tools that come preinstalled on Toshiba and Dell computers. If security is your top priority, it’s wise to uninstall any software you don’t use, or purchase one of Microsoft’s Signature PCs, which come free of preinstalled manufacturer software.

 

Lenovo CEO Yang Yuanqing talks about Apple’s approach to China in this Fortune video:

Subscribe to Data Sheet, Fortune’s daily newsletter on the business of technology.

SPONSORED FINANCIAL CONTENT

You May Like