You know it’s getting bad when a company suggests that its customers start uninstalling its own software for protection.
Dell, Toshiba, and Lenovo have been caught up in a security sting recently, exposing PCs worldwide to potentially dangerous security situations. The US-CERT is also taking notice and has now gotten on board with the Lenovo issue, at least.
Per the US-CERT Vulnerability note VU#294607:
The Lenovo Solution Center application contains multiple vulnerabilities that can allow an attacker to execute arbitrary code with SYSTEM privileges.
Lenovo has also now reacted to this announcement, issuing its own warning, stating that it is assessing the vulnerability report, will provide an update and applicable fixes as soon as possible, and in the meantime customers can…
…remove the potential risk posed by this vulnerability, users can uninstall the Lenovo Solution Center application using the add / remove programs function.
Most Enterprises perform wipe and reload process when new computers are received and just prior to the new devices being handed to end-users. This minimizes this type of risk to businesses. But, for consumers, they generally don’t have the ability, experience, knowledge or are comfortable enough reinstalling the operating system from scratch.
It really makes the case for Microsoft’s Signature PC editions, where you pay a little extra to receive a device that runs the latest OS but is completely crapware free. I received a Lenovo Yoga 900 recently and spent the good part of an hour just removing software I’d never use, was pretty poorly developed, and frankly, had no business being installed in the first place.