12-05-2015 03:23 AM - edited 12-05-2015 03:32 AM
Note that all of these vulnerabilities appear to require that the user has launched the Lenovo Solution Center at least once. Simply closing the Lenovo Solution Center does appear to stop the vulnerable LSCTaskService process.
Lenovo has provided the following statement:...
"Lenovo was recently alerted by a cyber-security threat intelligence partner and The CERT/CC to a vulnerability report concerning its Lenovo Solution Center (LSC) application. We are urgently assessing the vulnerability report and will provide an update and applicable fixes as rapidly as possible. Additional information and updates will be posted to this Lenovo security advisory page (https://support.lenovo.com/us/en/product_security/len_4326) as they become available."
ImpactL By convincing a user who has launched the Lenovo Solution Center to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), an attacker may be able to execute arbitrary code with SYSTEM privileges. Additionally, a local user can execute arbitrary code with SYSTEM privileges.
Solution The CERT/CC is currently unaware of a practical solution to this problem.
12-07-2015 04:48 PM
Surely Lenovo's article will be updated. I'll also post back here as well in case others miss the updated info.
I am not employed by Lenovo or Microsoft. I am a volunteer.
12-08-2015 01:19 PM - edited 12-08-2015 01:40 PM
Reading the vulnerability description I can say this is not just an ordinary bug "that happens", this is a total software architecture failure
I would recommend to also verify Lenovo Settings Dependency Package whether there is not similar issue.
12-10-2015 02:45 PM
The patched version 2.8.006 and 3.2.002 are released today for self update through LSC and should be available for download via the support site soon - perhaps as early as tommorow.
I was on 2.8.005 and launched LSC and it updated this afternoon to 2.8.006.
12-10-2015 03:31 PM