Major consumer PC manufacturer Lenovo is urging users to remove one of its updater applications that comes pre-installed in dozens of Lenovo laptop and desktop PC models following a damning report showing that security vulnerabilities in the app would make it possible for hackers to easily hijack the system.
Lennovo has issued a security advisory asking its users to delete the Accelerator Application from their laptops as it would enable a hacker to hijack the system using a man-in-the-middle attack. The software is designed to help speed up the launch of Lenovo applications and comes pre-installed in some Windows 10 notebook and desktop models.
The Accelerator Application affects 46 Lenovo notebook laptop models and 25 desktop PC models, and the software can be uninstalled by going to the Apps and Features application in Windows 10, selecting the entry "Lenovo Accelerator Application" and clicking on the "Uninstall" button.
Lenovo will no longer ship computers with the affected updater
On 31 May, US-based security firm Duo Security revealed that it had found numerous critical security vulnerabilities affecting the "bloatware" third party software that comes pre-installed with HP, Acer, Dell, Asus and Lenovo laptops that makes it possible for hackers to hijack and compromise the PCs in less than 10 minutes.
The researchers told IBTimes UK that they had tested 10 different laptops from various manufacturers over seven months, and it praised Lenovo and HP for taking the risks seriously and having a process in place for researchers to report such issues.
"Lenovo was the best. A few months ago we published a paper on users' privacy being affected by computer vulnerabilities and they took the initiative to reach out to us and offered us their contacts. They wanted us to contact them and tell them what we found as we continued our research," said Steve Manzuik, Duo Security's director of security research.
Not enough efforts made to secure updaters
The researchers said that bloatware is often created by many different departments and it is difficult for the manufacturer to track and make sure that each piece is completely secure as the turnaround for getting the software onto the PCs and getting them shipped out was very short.
"For example, in one Lenovo updater, they obviously put in a lot of effort to secure it, and then running parallel to it was another updater that had none of the security features enabled," said Duo security researcher Darren Kemp.
When Duo Security informed Lenovo this year about the critical vulnerabilities it had found, Lenovo decided it would completely remove the offending updater software from its products, hence the security advisory being issued.
Lenovo isn't a stranger to security vulnerability problems, however. In February 2015 it was discovered that Lenovo was allowing a third party adware app called Superfish by an Israeli firm that spied on secure banking and email communications to be shipped on its machines. Although the offending app was removed, the incident was a source of great embarrassment for the manufacturer.
The Lenovo PC models affected by the Accelerator Application app
Erazer N40-30/Erazer N40-45
Erazer N50-45/Erazer N50-45
FLEX 2 Pro
YOGA 3 14
Yoga 3 Pro
YOGA 500/YOGA 510
YOGA 700/YOGA 710/YOGA 900/YOGA 900S
D5010/ D5050/ D5055
F5005/ F5050/ F5055
G5005/ G5010/ G5050/ G5055
Yoga Home 500