Lenovo Security Advisory: LEN-11340
Potential Impact: Privilege Escalation
Scope of Impact: Lenovo-specific
CVE Identifier: CVE-2016-8235
An unquoted service path vulnerability was identified in the Lenovo Customer Care Software Development Kit (CCSDK) that could allow a user with local privileges on a system to execute code with administrative privileges.
The Customer Care Software Development Kit (CCSDK) on Lenovo Desktop and Lenovo Notebook systems provides anonymous, non-personally identifiable diagnostic device data to Lenovo to help Lenovo improve both existing and future products.
Mitigation Strategy for Customers (what you should do to protect yourself):
Update CCSDK to version 22.214.171.124 or later by opening Lenovo System Update, clicking on “Get new updates” and following the prompts to update to the latest version of CCSDK. Users can also manually update by following the instructions at the link here.
Steps to verify that you are running the latest version of CCSDK:
In Windows 7, open Programs and Features by clicking the Start button, clicking Control Panel, clicking Programs, and then clicking Programs and Features.