More like this

Business

Arrow

The Channel

Lenovo cries 'dump our support app' after 'critical' hole found

Win 10 OEM: bloatware strikes again!

Image by Moriz http://www.shutterstock.com/gallery-2031842p1.html

Lenovo is warning users to uninstall its Accelerator support application after it was revealed to have what it says are serious interception vulnerabilities.

The company is one of five vendors caught pre-installing dangerously-vulnerable OEM software.

Duo Security researcher Mikhail Davidov reported the holes that would allow eavesdropping attackers to tap into Accelerator's unencrypted update channels to compromise users.

"A vulnerability was identified in the Lenovo Accelerator Application software which could lead to exploitation by an attacker with man-in-the-middle capabilities," Lenovo says.

"The vulnerability resides within the update mechanism where a Lenovo server is queried to identify if application updates are available.

"Lenovo recommends customers uninstall Lenovo Accelerator Application."

Unencrypted update channels open an avenue for attackers to among other efforts push malware masquerading as software patches. It is limited in that it requires affected users to connect to malicious or open wireless networks to be exposed.

Only those Lenovo machines with Windows 10 pre-installed sport the exposed app.

The Lenovo Accelerator Application is used to speed up the launch of Lenovo applications and was installed in some notebook and desktop systems preloaded with the Windows 10 operating system.

Laptops from Acer, Asus, Dell, and HP were also tested and found to have a dozen vulnerabilities. All contained at least one hijacking flaw, most of which are easy to exploit.

Lenovo says some 46 notebook and 25 desktop lines are affected, including its top end Y700 gaming laptop, IdeaCentre all-in-one desktops, and Yoga flip netbooks.

ThinkPad and ThinkStations are unaffected.

It follows the 2014 shelling of Lenovo after it bundled the Superfish adware which used a trusted root certification authority certificate that allowed attackers to spoof HTTPS traffic. ®

Sponsored: Customer Identity and Access Management