Lenovo Security Advisory: LEN-19151
Potential Impact: Execution diversion – launching arbitrary code within the user’s context
Scope of Impact: Industry-wide
CVE Identifier: TBD,
An attacker who has already obtained access to a user’s account could attach an external program to the Synaptics driver, causing it to be run whenever the user types a key or moves the mouse, potentially hidden from the user. The external program runs within the user’s context and is unable to obtain elevated privileges without the user’s approval.
Mitigation Strategy for Customers (what you should do to protect yourself):
Install updated Synaptics keyboard & touchpad driver from Windows Update, or download and install from Lenovo drivers at or later than the versions described in the Product Impact section below.
Prior to new drivers being available, users should follow best security practices by selecting the lowest necessary user permissions. Log in as a standard user rather than administrator whenever feasible, and consider carefully before approving unsolicited UAC (User Account Control) pop-ups requesting administrator rights.