Security vulnerabilities found in support software from Lenovo, Toshiba, and Dell

By | PCWorld

The number of vulnerabilities discovered in technical support applications installed on PCs by manufacturers keeps piling up. New exploits have been published for flaws in Lenovo Solution Center, Toshiba Service Station and Dell System Detect.The most serious flaws appear to be in Lenovo Solution Center and could allow a malicious Web page to execute code on Lenovo Windows-based computers with system privileges.The flaws were discovered by a hacker who uses the online aliases slipstream and RoL and who released a proof-of-concept exploit for them last week. This prompted the CERT Coordination Center at Carnegie Mellon University to publish a security advisory.

One of the issues is caused by the LSCTaskService, which is created by the Lenovo Solution Center and runs with SYSTEM privileges. This service opens an HTTP daemon on port 55555 that can receive commands. One of those commands is called RunInstaller and executes files placed in the %APPDATA%\LSC\Local Store folder.

Any local user can write to this directory, regardless of their privilege, but the files are executed as the SYSTEM account. This means that a restricted user can exploit the logic flaw to gain full system access.

Furthermore, there is a directory traversal flaw that can be exploited to trick the Lenovo Solution Center to execute code from arbitrary locations, so an attacker doesn’t even need to place files in the aforementioned Local Store folder.

Finally, the LSCTaskService is vulnerable to cross-site request forgery (CSRF), an attack method through which a malicious website can relay rogue requests through the user’s browser. This means that, in order to exploit the previous two flaws, an attacker doesn’t even need to have local access to the system where the Lenovo Solution Center is installed and can simply trick the user to visit a specially crafted Web page.

In a security advisory on its website, Lenovo said that it is currently investigating the vulnerability report and will provide a fix as soon as possible. Until then, concerned users can uninstall the Lenovo Solution Center in order to mitigate the risk, the company said.

Slipstream also published proof-of-concept exploits for two other, lower-impact, vulnerabilities—one in the Toshiba Service Station and one in Dell System Detect (DSD), a tool that users are prompted to install when they click the “Detect Product” button on Dell’s support website.

The Toshiba Service Station application creates a service called TMachInfo that runs as SYSTEM and receives commands via UDP port 1233 on the local host. One of those commands is called Reg.Read and can be used to read most of the Windows registry with system privileges, according to the hacker.

“I have no idea what to do with it, but someone else might,” slipstream wrote in the exploit comments.

The flaw in DSD apparently stems from the way Dell attempted to fix a previous vulnerability. According to slipstream, the company implemented RSA-1024 signatures to authenticate commands, but put them in a place on its website where attackers can obtain them.

These can be used as a crude bypass method for Windows’ User Account Control (UAC). In this context, the bypass means that “if DSD isn’t elevated, we annoy the user with elevation requests until they click yes,” the hacker said.

This is not the first time when vulnerabilities have been found in support tools installed on Lenovo or Dell computers.

Toshiba and Dell did not immediately respond to a request for comment.

Toshiba, SanDisk start producing smaller, faster 15nm NAND flash memory

Partners Toshiba and SanDisk have developed 15-nanometer process technology for NAND flash memory widely used in smartphones and tablets.

The development is the first in the world and will replace the second-generation 19-nm process technology when production begins at Toshiba’s plant in Yokkaichi, Japan, Toshiba said.

Process technology refers to the method and size in making chips. NAND flash memory is a storage medium that does not need power to retain data.

The 15-nm process technology will be applied to 128 gigabit (16GB) NAND flash memory with two bits per cell, Toshiba said.

By using a high-speed interface, the new chips increase the data transfer rate to 533 megabits per second, which is 1.3 times faster than the 19-nm process technology.

The Yokkaichi plant in Mie Prefecture near Osaka will begin mass production of the chips at the end of April, Toshiba said.

In a separate announcement, SanDisk said the technology will be available as its 1Z-nm process node, promoting what it called the world’s smallest, most cost-effective 128-gigabit chips.

“Our 15-nm technology will be utilized across its broad range of solutions, from removable cards to enterprise SSDs,” a SanDisk spokesman said in an email.

“The benefit for the customer is that the technology provides a lower cost structure compared to the previous node, which is 1Y-nm.”

via Toshiba, SanDisk start producing smaller, faster 15nm NAND flash memory | PCWorld.

OCZ Goes Bankrupt, SSD Assets are Targeted by Toshiba

DailyTech - OCZ Goes Bankrupt, SSD Assets are Targeted by Toshiba

Five years without a profit, and messy financial fraud allegations spelled the enthusiast firm’s demise

After years of takeover rumors, and five years of losing money on an annual basis, Friday marked the end of the road for flashy solid state drive (SSD) drive firm OCZ Technology Group Inc. (OCZ). Friday was a “black Friday” for OCZ in particular, with stock trades halting after the drivemaker announced that it would be filing for bankruptcy.

The beginning of the end had actual come earlier in the week with an announcement on Wednesday that Hercules Growth Capital Inc. (HTGC) — a lender to startups and troubled assets — had been granted permission to take over OCZ accounts at the Silicon Valley Bank and Wells Fargo Bank, National Association. The takeover was authorized after OCZ defaulted on its loan obligations to Hercules. Without money to continue operations and unable to find an angel investor, OCZ had no choice but to file for bankruptcy.

I. The Glory Years

Founded in 2002 OCZ began as a memory firm catering primarily to the computer gaming enthusiast market. The company saw a large growth in sales in the latter half of last decade, as it diversified into power supplies, solid state drives, and coolers. It even toyed with short-lived graphics card and gaming laptop projects. At the same time OCZ’s physical footprint grew to include satellite offices in The Netherlands, United Kingdom, and Israel, in addition to the company’s central headquarters in San Jose, Calif. and a manufacturing and logistics office in Taiwan.

Full Story: DailyTech – OCZ Goes Bankrupt, SSD Assets are Targeted by Toshiba.

PC sales continue to plunge, but the drop is less steep

The PC market moved into its sixth straight quarter of declining sales, analysts reported on Wednesday, although the dip was less pronounced than one firm expected.Market research firm Gartner reported that third-quarter PC sales dipped by 8.6 percent to 80.3 million units for the July-to-September quarter. IDC, with its own report, said the drop was 7.6 percent to 81.6 million units; the firm had previously projected a worldwide decline of 9.5 percent.
Normally, the third quarter marks the beginning of the upswing for the PC market, as students and educators invest in new hardware during the so-called back-to-school buying season. But sales apparently failed to materialize, either an indication that students are turning more to tablets or simply were using notebooks that they had bought previously. On the other hand, emerging product categories and a greater assortment of Windows 8-based models pushed sales volumes slightly higher, IDC reported, as did the migration from Windows XP to Windows 7.
“Consumers’ shift from PCs to tablets for daily content consumption continued to decrease the installed base of PCs both in mature as well as in emerging markets,” Mikako Kitagawa, principal analyst at Gartner, said in a statement. “A greater availability of inexpensive Android tablets attracted first-time consumers in emerging markets and as supplementary devices in mature markets.”
Rajani Singh, an analyst with IDC, noted that the U.S. market was essentially flat at 0 percent growth, helped by Chromebooks and what the company called “ultraslim” devices.
“Whether constrained by a weak economy or being selective in their tech investments, buyers continue to evaluate options and delay PC replacements,” Loren Loverde, an analyst with IDC added. “Despite being a little ahead of forecast, and the work that’s being done on new designs and integration of features like touch, the third quarter results suggest that there’s still a high probability that we will see another decline in worldwide shipments in 2014.”

IDC PC Sales Q3 2013
According to IDC, Lenovo led the pack of PC vendors for global sales during the third quarter.

Both Gartner and IDC said that Lenovo had again edged out rival Hewlett-Packard for a second straight quarter, with Lenovo showing a 2.8 percent increase in unit sales to 14.1 million units. HP and Dell also demonstrated 1.5 percent and 1.0 growth, respectively. But Acer’s sales plunged 22.6 percent, followed closely by Asus, with a  22.5 percent decline in shipments. However, both Acer and Asus have shifted their focus towards the tablet market, Gartner said.
Lenovo’s market share is 17.6 percent, followed closely by HP, at 17.1 percent, Gartner found. Dell, Acer, and Asus make up 11.6 percent, 8.3 percent, and 6.1 percent, respectively.

IDC PC Sales Q3 2013
HP was the top PC vendor in the U.S. during the third quarter.

According to Gartner, HP was the top U.S. PC vendor, with a 26.9 percent market share. Dell (21.0 percent) and Apple (13.4 percent) followed, then Lenovo (10.5 percent) and Toshiba (7.0 percent). Apple was the only vendor among the top five to record a drop in shipments, down 2.3 percent.
IDC largely agreed with Gartner’s numbers (as shown in the above chart), although the firm said that Acer and Asus recorded a steeper drop in shipments.
Both IDC and Gartner typically release tablet sales as part of a separate report, which will provide more insight into how the overall market will fare.
So far, the promise of Windows 8.1 has failed to ignite the PC market, as has the new “Haswell”-based notebooks from Intel’s PC partners. Will the fourth quarter show some signs of life, as Microsoft has predicted? So far, the best news is that it looks less gloomy than predicted. And that isn’t saying much.
via PCWorld