If you have a Lenovo computer which came with the Lenovo Solution Center app pre-installed (versions 3.1.004 and below), a Dell computer and therefore Dell System Detect software (versions 188.8.131.52 and below), or a Toshiba with the Toshiba Service Station app (versions 2.6.14 and below), then your PC is at risk.
The “PC Does What!?” marketing campaign meant to convince users that PCs are super cool is unlikely to include PC “gets you pwned” in any upcoming commercials, but a security researcher posted proof-of-concept exploits that affect three out of five PC makers involved in “PC Does What!?” A researcher, using the alias slipstream/RoL, posted proof-of-concept code capable of exploiting security vulnerabilities in Dell, Lenovo and Toshiba machines. The researcher released the proof-of-concept code into the wild without first disclosing the issues to vendors, meaning millions of users are potentially at risk as exploiting the flaws could allow an attacker to run malware at the system level.
According to the proof-of-concept, it doesn’t matter what you are logged in as – even a less risky Windows User Account instead of an administrator account, because the vendors’ preinstalled bloatware on Dell, Lenovo and Toshiba machines run with full system privileges giving attackers keys to your personal digital kingdom.
Lenovo Solution Center
“The Lenovo Solution Center application contains multiple vulnerabilities that can allow an attacker to execute arbitrary code with System privileges,” warned Carnegie Mellon University’s US-CERT (Computer Emergency Readiness Team). If a user has launched the Lenovo Solution Center and an attacker can convince or otherwise trick a user into viewing a maliciously crafted web page, HTML email message or attachment, then “an attacker may be able to execute arbitrary code with SYSTEM privileges,” US-CERT wrote. “Additionally, a local user can execute arbitrary code with SYSTEM privileges.”
The Lenovo Solution Center “allows users to quickly identify the status for system health, network connections and overall system security.” The security advisory posted by slipstream/RoL explained that the software installs as a service on Lenovo PCs and runs at the system level, yet “issues in Lenovo Solution Center, versions 3.1.004 and below, can be exploited to gain local privilege escalation to SYSTEM, and remote code execution as SYSTEM while Lenovo Solution Center is open.”
US-CERT listed three different vulnerabilities affecting Lenovo PCs: Lenovo Solution Center creates a process called LSCTaskService, which runs at a system level meaning it has an incorrect permission assignment for a critical resource; a Cross-Site Request Forgery (CSRF) vulnerability; and a directory traversal flaw. “Note that all of these vulnerabilities appear to require that the user has launched the Lenovo Solution Center at least once,” CERT warned. “Simply closing the Lenovo Solution Center does appear to stop the vulnerable LSCTaskService process.”
After US-CERT notified Lenovo, Lenovo posted a security advisory warning: “We are urgently assessing the vulnerability report and will provide an update and applicable fixes as rapidly as possible.” For now, the best way to protect yourself: “To remove the potential risk posed by this vulnerability, users can uninstall the Lenovo Solution Center application using the add / remove programs function.”
Even if you are careful about clicking on links and opening email attachments, and you have run Lenovo’s app, then you could get pwned via a drive-by-download. Lenovo says of its pre-installed bloatware, called crapware by some, that Lenovo Solution Center was created for the company’s Think products. If you have a ThinkPad, IdeaPad, ThinkCenter, IdeaCenter, or ThinkState running Windows 7 or later, then uninstall Lenovo Solution Center now.
Dell System Detect
Dell System Detect, regarded as bloatware by some and a black-hat hacker's best bud by others, comes pre-installed on Dell computers; the app interacts with Dell Support “to provide a better and more personalized support experience.” Yet according slipstream/RoL’s security advisory for Dell System Detect, versions 184.108.40.206 and below can be exploited to allow attackers to escalate privilege and bypass Windows User Account Control. Unlike Lenovo’s “uninstall solution,” slipstream/RoL warned, “Not even uninstallation of Dell System Detect will prevent exploitation of these issues.”
Instead, the researcher suggested uninstalling Dell System Detect and then blacklisting DellSystemDetect.exe as that is the only mitigation that will prevent exploitation.
US-CERT previously warned, “Dell System Detect installs the DSDTestProvider certificate into the Trusted Root Certificate Store on Microsoft Windows systems.” After Dell responded to a security researcher’s claim that its pre-installed security certificate could allow an attacker to run a man-in-the-middle attack against Dell users, and Microsoft posted a security advisory, Dell posted a knowledge base article explaining how to remove eDellroot and DSDTestProvider certificates.
Toshiba Service Station
Toshiba Service Station is software meant to “automatically search for Toshiba software updates or other alerts from Toshiba that are specific to your computer system and its programs.” Yet according to the Toshiba Service Station security advisory, posted by slipstream/RoL on Lizard HQ, “versions 2.6.14 and below can be exploited to “bypass any read-deny permissions on the registry for lower-privileged users.”
As for any possible mitigation, the researcher advised uninstalling Toshiba Service Station.
Millions of users at risk of attackers compromising their PCs
According to IDC Worldwide Quarterly PC Tracker, there has been an overall decline in PC shipments in 2015, but Lenovo shipped 14.9 million units and Dell shipped over 10 million; Toshiba is mentioned as coming in fifth for PC shipments having shipped 810,000 PCs in the third quarter alone. Altogether, millions of users are at risk of being hacked due to the proof-of-concept code released to the public.
Since Dell, Lenovo, Toshiba, and Microsoft by way of Windows, have been given black eyes, then if the researcher slipstream/RoL were to pop some pre-installed HP software as well as Intel, the entire PC squad behind the PC Does What!? marketing campaign will have been pwned.