Lenovo warns users to remove its Windows 10 bloatware

Lenovo has warned customers to uninstall insecure software that comes pre-installed on dozens of its notebooks and desktop systems.

The company issued a warning on Thursday for customers to uninstall Lenovo Accelerator Application. The notice came days after security firm Duo Labs brought attention to security flaws in the updater software that supports pre-installed software that ship with Windows devices from Acer, Asus, Dell, HP, and Lenovo.

Lenovo on Thursday said that a high severity issue affecting the Lenovo Accelerator Application could allow remote code execution if an attacker had local network access. The flawed application is installed on scores of Lenovo models, including several from its popular Yoga line, but not its business-focussed ThinkPad and ThinkStation devices.

Duo Labs reported the bug to Lenovo ahead of publishing its report this week, which exposed 12 flaws in updaters that support pre-installed software from major Windows hardware manufacturers. The flaws it reported could allow hackers to man-in-the-middle updates from the vendors to vulnerable computers.

“A vulnerability was identified in the Lenovo Accelerator Application software which could lead to exploitation by an attacker with man-in-the-middle capabilities. The vulnerability resides within the update mechanism where a Lenovo server is queried to identify if application updates are available,” Lenovo said in its security bulletin.

According to Lenovo, the pre-installed software was used to “speed up the launch of Lenovo applications and was installed in some notebook and desktop systems preloaded with the Windows 10 operating system.”

Lenovo advised customers to uninstall the application by going to the “Apps and Features” application in Windows 10, selecting Lenovo Accelerator Application and clicking “Uninstall”.

Duo Labs noted in its report that a process called LiveAgent could expose some Lenovo models to a man-in-the-middle attack and that it was scheduled to be removed from Lenovo systems “in late June”.

The Lenovo bug was the only one in the 12 that Duo Labs identified across the five Windows hardware makers.

However, Duo Labs was critical of the Lenovo’s inconsistent approach to securing its updaters across the two it looked at, which included Lenovo Solutions Center and “UpdateAgent.”

“The first of which has been hardened against MITM attacks, while the other appears to be a robust platform for arbitrary remote code execution. The stark contrast between these two pieces of software from the same vendor exemplifies the incoherent mess that is the OEM software ecosystem,” the security firm said.