The Channel logo


By | Darren Pauli 2nd June 2016 06:58

Lenovo cries 'dump our support app' after 'critical' hole found

Win 10 OEM: bloatware strikes again!

Lenovo is warning users to uninstall its Accelerator support application after it was revealed to have what it says are serious interception vulnerabilities.

The company is one of five vendors caught pre-installing dangerously-vulnerable OEM software.

Duo Security researcher Mikhail Davidov reported the holes that would allow eavesdropping attackers to tap into Accelerator's unencrypted update channels to compromise users.

"A vulnerability was identified in the Lenovo Accelerator Application software which could lead to exploitation by an attacker with man-in-the-middle capabilities," Lenovo says.

"The vulnerability resides within the update mechanism where a Lenovo server is queried to identify if application updates are available.

"Lenovo recommends customers uninstall Lenovo Accelerator Application."

Unencrypted update channels open an avenue for attackers to among other efforts push malware masquerading as software patches. It is limited in that it requires affected users to connect to malicious or open wireless networks to be exposed.

Only those Lenovo machines with Windows 10 pre-installed sport the exposed app.

The Lenovo Accelerator Application is used to speed up the launch of Lenovo applications and was installed in some notebook and desktop systems preloaded with the Windows 10 operating system.

Laptops from Acer, Asus, Dell, and HP were also tested and found to have a dozen vulnerabilities. All contained at least one hijacking flaw, most of which are easy to exploit.

Lenovo says some 46 notebook and 25 desktop lines are affected, including its top end Y700 gaming laptop, IdeaCentre all-in-one desktops, and Yoga flip netbooks.

ThinkPad and ThinkStations are unaffected.

It follows the 2014 shelling of Lenovo after it bundled the Superfish adware which used a trusted root certification authority certificate that allowed attackers to spoof HTTPS traffic. ®

comment icon Read 38 comments on this article or post a comment alert Send corrections


Frank Jennings

What do you do? Use manual typwriters or live in a Scottish croft? Our man advises
A rusty petrol pump at an abandoned gas station. Pic by Silvia B. Jakiello via shutterstock

Trevor Pott

Among other things, Active Directory needs an overhaul
Baby looks taken aback/shocked/affronted. Photo by Shutterstock

Kat Hall

Plans for 2 million FTTP connections in next four years 'not enough'
Microsoft CEO Satya Nadella


League of gentlemen poster - Tubbs and Edward at the local shop. Copyright BBC
One reselling man tells his tale of woe