More woe for Lenovo, Dell and Toshiba over laptop bloatware gone bad

sincity · December 7, 2015

Serious vulnerabilities have been uncovered in the pre-installed software (or bloatware, as it's commonly known) that comes with Lenovo notebooks, and also Dell and Toshiba laptops.

The findings come courtesy of slipstream/RoL (as spotted by the Register) who tweeted: "Three OEMs. Three applications preinstalled. Three exploits."

Lenovo – which let's face it, could really do without any further bad publicity regarding its pre-installed programs – has left a gaping hole in its Lenovo Solution Center, which is supposed to monitor system health and, ironically, security, allowing you to check up on antivirus and firewall status, and to update software.

Unfortunately, if you've got the Solution Center running and you visit a website which is loaded with an exploit, this can crack open your machine and run any code the attacker wants allowing for the installation of malware and a load of other potential nastiness.

Lenovo is aware of the situation (US-CERT chimed in on the matter) and has issued an update to say it's investigating the issue, with applicable fixes to come "as rapidly as possible". Meanwhile, users are advised to simply uninstall the Solution Center to ensure they don't fall victim to any malicious activity.

Bloatware bombshells

As for Dell, the flaw which affects its machines is in the Dell System Detect utility which can be exploited to gain admin privileges and run commands via a method which uses a security token that can be downloaded from Dell.com.

And when it comes to Toshiba, the vulnerability is present in the company's Service Station software and can apparently be exploited to read most of the registry of the OS. But that's certainly not on the level of the humdinger which Lenovo has been afflicted by.

Once again, this shines a spotlight on the dangers of loading machines with bloatware, which not only slows laptops down, but can present serious risks when the vendor in question can't take the necessary care and time to code its own programs with a decent level of security.