Lenovo Security Advisory: LEN-2015-015
Potential Impact: Escalation of Privilege
Lenovo’s “USB Enhanced Performance Keyboard” software has a known issue where debug code was accidently left in the application. The debug code includes information about which keys on the keyboard are pressed. Lenovo has released a new version of the software that removes the debug code.
The debug code exists in all previous versions of the software, and has been preloaded on ThinkPad and ThinkCentre systems since early 2014. The debug code, in SKHOOKS.DLL, calls the Windows API OutputDebugString to indicate which key has been pressed. The debug code does not store this information or send it anywhere. There is no possibility to exploit this vulnerability remotely. Only users with access to the system, and the ability to run a special tool to capture debug output, are able to intercept these calls to OutputDebugString. To eliminate this vulnerability, Lenovo has removed the debug code from SKHOOKS.DLL.
Mitigation Strategy for Customers (what you should do to protect yourself):
There are several ways you can protect yourself. Lenovo recommends that you take one of the following steps:
Other information and references:
CVE ID: CVE-2015-3320
1.1 | 05/05/2015 | Added CVE ID