Chinese PC firm Lenovo has advised users of its desktop and laptop systems to uninstall a pre-loaded app that could allow hackers to execute code remotely and carry out a man-in-the-middle (MitM) attack.
In an advisory, Lenovo said the vulnerability resides within the update mechanism where a Lenovo server is queried to identify if application updates are available. Every time the app queried the server, the system could be exposed to MitM attacks.
According to the firm, the Lenovo Accelerator Application is used to speed up the launch of Lenovo applications and was installed in some notebook and desktop systems preloaded with the Windows 10 operating system.
It said that it recommended that customers uninstall the app by going to the “Apps and Features” application in Windows 10, selecting Lenovo Accelerator Application and clicking on “Uninstall”.
The flaw was discovered by Mikhail Davidov, senior security researcher at Duo Security.
In a blog post, Darren Kemp, security researcher at Duo Security said that OEM software was making users vulnerable and invading privacy.
“Updaters are an obvious target for a network attacker, this is a no-brainer. There have been plenty of attacks published against updaters and package management tools in the past, so we can expect OEM's to learn from this, right?” he said.
He said that every single vendor tested had at least one vulnerability that could allow for a man-in-the-middle (MITM) attacker to execute arbitrary code as system.
“We'd like to pat ourselves on the back for all the great bugs we found, but the reality is, it's far too easy,” said Kemp. The firm had tested systems not only from Lenovo, but also Acer, Asus, Dell and HP.
“Some vendors made no attempts to harden their updaters, while others tried to, but were tripped up by a variety of implementation flaws and configuration issues.”
Paco Hope, principal security evangelist at Cigital, told SCMagazineUK.com that this flaw is very common and it is the kind of flaw that architectural risk analysis can find in software designs. “The identical vulnerability was announced recently for KeePass and at the root of both of these is the fundamental insecurity of HTTP (as opposed to HTTPS),” he said.
Lee Munson, security researcher at Comparitech.com, told SC that as for whether vendors should be installing bloatware, he would argue ‘no' because it can pose a security risk, the sheer annoyance of it and the impact it can have on a system's speed and storage space.
“Lenovo essentially backtracking is a prime example of why software vendors shouldn't be doing this,” he said.
“At the end of the day it's about users educating themselves to ensure they're aware of the risks of what's running on their machines and know how to identify and remove risky programs. As market forces govern the market for PCs – which are seeing continuing drops in sales figures – buyers, who would revolt if hardware prices suddenly increased, should take responsibility to remove the ‘junk' themselves.”