Lenovo cries 'dump our support app' after 'critical' hole found
Win 10 OEM: bloatware strikes again!
Lenovo is warning users to uninstall its Accelerator support application after it was revealed to have what it says are serious interception vulnerabilities.
The company is one of five vendors caught pre-installing dangerously-vulnerable OEM software.
Duo Security researcher Mikhail Davidov reported the holes that would allow eavesdropping attackers to tap into Accelerator's unencrypted update channels to compromise users.
"A vulnerability was identified in the Lenovo Accelerator Application software which could lead to exploitation by an attacker with man-in-the-middle capabilities," Lenovo says.
"The vulnerability resides within the update mechanism where a Lenovo server is queried to identify if application updates are available.
"Lenovo recommends customers uninstall Lenovo Accelerator Application."
Unencrypted update channels open an avenue for attackers to among other efforts push malware masquerading as software patches. It is limited in that it requires affected users to connect to malicious or open wireless networks to be exposed.
Only those Lenovo machines with Windows 10 pre-installed sport the exposed app.
The Lenovo Accelerator Application is used to speed up the launch of Lenovo applications and was installed in some notebook and desktop systems preloaded with the Windows 10 operating system.
Laptops from Acer, Asus, Dell, and HP were also tested and found to have a dozen vulnerabilities. All contained at least one hijacking flaw, most of which are easy to exploit.
Lenovo says some 46 notebook and 25 desktop lines are affected, including its top end Y700 gaming laptop, IdeaCentre all-in-one desktops, and Yoga flip netbooks.
ThinkPad and ThinkStations are unaffected.
It follows the 2014 shelling of Lenovo after it bundled the Superfish adware which used a trusted root certification authority certificate that allowed attackers to spoof HTTPS traffic. ®
- Black Hat
- Common Vulnerability Scoring System
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Breach
- Data Protection
- Data Theft
- Digital certificate
- Identity Theft
- Kenna Security
- Palo Alto Networks
- Patch Tuesday
- Trusted Platform Module
- Zero trust