Lenovo warns bloatware on laptops and desktops leaving users open to attack

Firm tells uses to remove pointless Lenovo Accelerator Application software

Lenovo has acknowledged that a piece of bloatware on a huge number of its laptops and desktops devices called Lenovo Accelerator Application is insecure and leaving users open to attack.

Lenovo admited to the problem in a security advisory and it urged users to remove it

"A vulnerability was identified in the Lenovo Accelerator Application software which could lead to exploitation by an attacker with man-in-the-middle capabilities. The vulnerability resides within the update mechanism where a Lenovo server is queried to identify if application updates are available," it said.

"Lenovo recommends customers uninstall Lenovo Accelerator Application by going to the 'Apps and Features' application in Windows 10, selecting Lenovo Accelerator Application and clicking on 'Uninstall'."

Lenovo describes the Accelerator Application as being used to "to speed up the launch of Lenovo applications" but ultimately it is a pointless bit of bloatware that many laptop vendors installed on their machines.

Lenovo can have no excuses for not being aware of this issue as last year it was racked over the coals for a piece of software called Superfish that was found to be inherently insecure. The firm's CTO promised lessons would be learnt from the issue.

Other vendors affected

This all came to light earlier in the week when security firm Duo Security that identified 12 vulnerabilities across laptops built by some of the biggest laptop vendors such as Dell, HP, Asus, Acer and Lenovo.

The problems relate to the bloatware that vendors put on laptops. "The OEM software landscape is complicated and includes a depressing amount of superfluous tools for vendor support, free software trials, and other vendor-incentivised crapware. Some apps do nothing more than add a shortcut to launch your web browser to a specific site," the company said.

"The experience is annoying to most people for a number of reasons. In addition to wasting disk space, consuming RAM, and generally degrading the user experience, OEM software often has serious implications for security."

"Every time something like this happens we are reassured that the offending vendor of the day cares deeply about our security and privacy. Unfortunately, a cursory analysis of most OEM software reveals that very limited, if any, security review was performed," said Duo.

"It's well known in the security research community that OEM software is a vulnerability minefield, but finding them is not particularly exciting. But that's also why OEM software has remained a major security problem.

"So we decided to dig deep to find out just how bad the issue is, and provide recommendations for consumers to protect themselves against the security gaps and annoyance that bloatware presents."

The report explained that Dell has a high-risk vulnerability called eDellroot, which we have covered before. The security firm said that the threat involves certificate best practices or, as we assume, certificate worst practices. HP has two high ranking flaws that can enable arbitrary code execution and five lesser vulnerabilities.

Asus and Lenovo have one high-risk vulnerability each, again risking arbitrary code execution, while Acer has two and Asus has one medium severity local privilege escalation flaw.

The 10 devices tested were Lenovo Flex 3, HP Envy, HP Stream x360 (Microsoft Signature Edition), HP Stream (UK version), Lenovo G50-80 (UK version), Acer Aspire F15 (UK version), Dell Inspiron 14 (Canada version), Dell Inspiron 15-5548 (Microsoft Signature Edition), Asus TP200S and Asus TP200S (Microsoft Signature Edition).