The Channel logo

News

By | Darren Pauli 2nd June 2016 06:58

Lenovo cries 'dump our support app' after 'critical' hole found

Win 10 OEM: bloatware strikes again!

Lenovo is warning users to uninstall its Accelerator support application after it was revealed to have what it says are serious interception vulnerabilities.

The company is one of five vendors caught pre-installing dangerously-vulnerable OEM software.

Duo Security researcher Mikhail Davidov reported the holes that would allow eavesdropping attackers to tap into Accelerator's unencrypted update channels to compromise users.

"A vulnerability was identified in the Lenovo Accelerator Application software which could lead to exploitation by an attacker with man-in-the-middle capabilities," Lenovo says.

"The vulnerability resides within the update mechanism where a Lenovo server is queried to identify if application updates are available.

"Lenovo recommends customers uninstall Lenovo Accelerator Application."

Unencrypted update channels open an avenue for attackers to among other efforts push malware masquerading as software patches. It is limited in that it requires affected users to connect to malicious or open wireless networks to be exposed.

Only those Lenovo machines with Windows 10 pre-installed sport the exposed app.

The Lenovo Accelerator Application is used to speed up the launch of Lenovo applications and was installed in some notebook and desktop systems preloaded with the Windows 10 operating system.

Laptops from Acer, Asus, Dell, and HP were also tested and found to have a dozen vulnerabilities. All contained at least one hijacking flaw, most of which are easy to exploit.

Lenovo says some 46 notebook and 25 desktop lines are affected, including its top end Y700 gaming laptop, IdeaCentre all-in-one desktops, and Yoga flip netbooks.

ThinkPad and ThinkStations are unaffected.

It follows the 2014 shelling of Lenovo after it bundled the Superfish adware which used a trusted root certification authority certificate that allowed attackers to spoof HTTPS traffic. ®

comment icon Read 38 comments on this article or post a comment alert Send corrections

Opinion

Baby looks taken aback/shocked/affronted. Photo by Shutterstock

Kat Hall

Plans for 2 million FTTP connections in next four years 'not enough'
Microsoft CEO Satya Nadella
Stranded_ships

Chris Mellor

Thousands of layoffs announced as spinning rust enters its death spiral

Features

STRASBOURG, JUNE 29, 2016: The seat of the European Parliament. by Marco Aprile for shutterstock. EDITORIAL USE ONLY
Plan b, image via Shutterstock
EU workers, new markets: post-Brexit pressure on May & Co
Tough question, pic via Shutterstock
Honest mistake with your licensing? Audit police look at it on a 'case by case basis'