Okay, so some people are drawing parallels between this and Lenovo's Superfish scandal that happened late last year and carried on for the first few months of 2015. I am not a fan of that comparison. In the case of Superfish, Lenovo added third-party software that tampered with security for the purpose of advertising on the user's machine. In this case, a first-party application has a remote code execution vulnerability that was dealt with responsibly.
This happens to pretty much everyone, regularly.
But, so our readers know, they should update their Lenovo System Update. The current version, which seems to be 220.127.116.11 as far as I can tell, has been available since April and is not affected. This bug only concerns 18.104.22.168 and earlier. The issues were discovered in February by IOActive and disclosed to the PC manufacturer, who updated them before the security company published the issue. Unless I'm missing something, this is how it is supposed to be done.