Lenovo recommends removing bloatware due to man-in-the-middle risk

Spread the love

Lenovo advises customers to uninstall the Accelerator Application that the company preinstalls on laptops and desktops. Researchers showed that under certain circumstances, malicious parties can use the connection made by the application to inject malware.

Lenovo points out the vulnerability with a security advisory. The vulnerability could be exploited by an attacker with man-the-middle capabilities to remotely execute code on affected systems. In practice, an attacker must have access to the local network for a successful attack, such as at public hotspots or an open network he has set up. The vulnerability resides in the update mechanism of the Lenovo Accelerator, which allows the software to connect to the manufacturer’s server to check for updates. The Lenovo Accelerator Application is intended to help accelerate other programs that Lenovo ships with on its Windows 10 systems. Lenovo now recommends uninstalling the program.

The application was shipped on 46 laptop models with Windows 10, including Flex, Yoga, Erazer and Miix systems. In addition, the software was standard on 25 different types of desktop systems, including IdeaCentre models. According to Lenovo, the software was not on ThinkPads and ThinkStations.

The leak came to light through research by Duo Security. That company found that many update mechanisms of applications that manufacturers provide do not use TLS and also do not provide validation for Microsoft Authenticode Certificates. Lenovo’s UpdateAgent 1.0.0.4, among others, did not do this, but the company also found imperfections in Asus, Acer, Dell and HP that were trivial to exploit. It is not clear what steps these companies have taken.

Dell and Lenovo previously received negative news thanks to the possibilities that pre-installed software offered to attackers. Lenovo in particular came under fire when the SuperFish adware was found to hijack SSL traffic with an SSL certificate whose private key could be traced. This meant that a man-in-the-middle attack could even lead to access to https traffic. A year ago, Lenovo was also criticized for a leak in an update tool.

You might also like
Exit mobile version