Lenovo has waved the white flag on a vulnerable component of its pre-installed software updater and recommends that users uninstall it from more than 110 notebook and desktop models running Windows 10.
The decision to have users yank the Lenovo Accelerator Application comes days after a Duo Labs study on bloatware vulnerabilities exposing machines from five leading computer manufacturers to a variety of attacks.
Lenovo published a security advisory yesterday explaining that Lenovo Accelerator Application, which reaches out to Lenovo servers for application updates, is susceptible to man-in-the-middle attacks. Lenovo says the software is also used to speed up the launch of Lenovo applications.
“Lenovo recommends customers uninstall Lenovo Accelerator Application by going to the ‘Apps and Features’ application in Windows 10, selecting Lenovo Accelerator Application and clicking on ‘Uninstall,'” Lenovo says in its advisory, adding that ThinkPad and ThinkStation notebooks and devices do not have the software installed.
Lenovo machines were among others from Dell, HP, Asus and Acer whose bloatware was pulled apart by Duo Labs researchers in a study prompted by last year’s Superfish and eDellRoot vulnerability disclosures that demonstrated the potential risks associated with pre-installed updaters.
These updaters are used to enhance pre-installed apps that come with most consumer and business computers; these are primarily feature updates and not security updates.
The Duo Labs report looked at two updaters, Lenovo Solutions Center and UpdateAgent; Lenovo Solution Centers has mitigations that prevent man-in-the-middle attacks which are the principle risk to these updaters as identified in the report. UpdateAgent, meanwhile, is ripe for remote code execution attacks, the report said.
“The stark contrast between these two pieces of software from the same vendor exemplifies the incoherent mess that is the OEM software ecosystem,” Duo researchers Darren Kemp, Chris Czub and Mikhail Davidov wrote.
Duo Labs was particularly critical of UpdateAgent, calling it “one of the worst updaters” examined in the report, adding that it had no native security.
“Executables and manifests are transmitted in the clear and no code-signing checks are enforced,” the report says.
The agent pings a Lenovo server every 10 minutes for updates. Attackers who already have a man-in-the-middle position are able to modify responses and insert their own malicious updates. Since there is no verification or encryption protecting the transmission of updates, it’s trivial for an attacker to insert malicious code.
“The UpdateAgent is part of the Application Accelerator. It was unclear at the time of discovery what its legitimate use was for,” Duo Labs’ Davidoff said. “Lenovo’s decision to advise users to uninstall it manually seems strange to me as an update can be pushed to all affected models to uninstall itself without requiring user interaction.”
In stark contrast, Duo Labs said, Lenovo Update Center was among the most secure updaters. Manfiests are signed and validated, and updates and manifests are sent over HTTPS, putting up a significant barrier to man-in-the-middle attacks.
Duo Labs’ Kemp told Threatpost that Lenovo was the most responsive vendor it reached out during its research.
“It’s encouraging to have that kind of response from Lenovo,” he said. “They were the most helpful vendor.”
Lenovo’s advisory has a list of all affected notebook and desktop models.
These issues are not unique to Lenovo. All of the vendors’ machines Duo Labs examined had similar flaws around a lack of encryption, privilege escalation and remote code execution vulnerabilities. Of those vendors who did encrypt the transmission of updates, for example, some were either poorly implemented or failed to include proper validation checks.
Duo Labs found and privately disclosed a dozen vulnerabilities, half of which were rated high-severity. Asus and Acer have yet to patch any of the flaws reported to them; the two Asus bugs are more than 125 days old and allow for code execution and privilege escalation, while the Acer flaws are more than 45 days old and both expose systems to arbitrary code execution. HP has patched four of the seven flaws reported to it, while Dell has silently updated some flaws, and has mitigations in place that prevent the exploitation of others.