Slashdot Mirror

← Back to Stories (view on slashdot.org)

Top Windows OEM Lenovo Urges Customers To Uninstall Accelerator Application (lenovo.com)

Posted by msmash on from the security-woes dept.

Two-Factor Authentication service Duo Security reported earlier that third-party updating tools found on Dell, HP, Lenovo, Acer, and Asus (the top five Windows OEMs) are vulnerable to man-in-the-middle attack. Hours later, Lenovo, the world's largest Windows OEM by shipment figure, has issued an advisory in which it urges users to uninstall Accelerator Application, which comes preinstalled on many of its laptops and desktops models. Fortune reports: Specifically, as Lenovo said in an advisory notice, the auto-update feature in its Accelerator Application software can be exploited by a "man-in-the-middle attack" -- someone could get in between the computer and the server pushing out the updated software, fooling the computer into installing a fake version of the update instead of the genuine article. Such attacks can allow anything from surreptitious malware installation to the insertion of surveillance capabilities, or even the hijacking of PCs.

49 comments

  1. If you were only using Linux by Anonymous Coward · · Score: 0, Flamebait

    Just getting that out of the way for the "Linux cures everything" crowd.

    1. Re:If you were only using Linux by darkain · · Score: 1

      Perfect timing, since a post just went live on the /. homepage about the latest Linux kernel not being able to boot!

    2. Re:If you were only using Linux by mspohr · · Score: 1

      I don't know about "everything" but it sure would fix this problem.

      --
      I don't read your sig. Why are you reading mine?
    3. Re: If you were only using Linux by Anonymous Coward · · Score: 0

      For some people

  2. Doubledy Dupey Drats by Anonymous Coward · · Score: 0

    Here we go again

    Kids, just say NO to drugs!

    1. Re:Doubledy Dupey Drats by LVSlushdat · · Score: 1, Interesting

      Just say no to bloatware, a clean reinstall of your os is getting to be mandatory.. ANYthing the manufacturer puts on your new computer besides the base os and any basic necessary drivers is BLOATWARE and should be removed.. Of course, *some* of us, when we buy a new pc, take ALL of the spyware/bloatware/crapware off and put Linux on... Guess that makes "Windows NSA edition" bloatware... heh

      --
      THANK YOU, Edward Snowden!! Americans owe you a debt of gratitude (whether they know it or not..)
    2. Re:Doubledy Dupey Drats by Anonymous Coward · · Score: 0

      Just say no to bloatware, a clean reinstall of your os is getting to be mandatory.. ANYthing the manufacturer puts on your new computer besides the base os and any basic necessary drivers is BLOATWARE and should be removed.. Of course, *some* of us, when we buy a new pc, take ALL of the spyware/bloatware/crapware off and put Linux on... Guess that makes "Windows NSA edition" bloatware... heh

      Unfortunately for those that desire to still run Windows, it is almost impossible to get a legal OS disk or a recovery disk that doesn't automatically install all the
      bloatware as part of the process. Even harder with W10 having half a million telemetry reporting objects (just being silly, its only about 100 reporting streams as indicated by my router logs) as the bloatware is actually W10. :-)

    3. Re: Doubledy Dupey Drats by GreenEnvy22 · · Score: 4, Insightful

      Almost impossible like this for Windows 8: http://windows.microsoft.com/e... And this for Windows 10: http://www.microsoft.com/en-ca... It's come a long way since windows 7 and earlier.

    4. Re:Doubledy Dupey Drats by mlts · · Score: 1

      With some bloatware I've come across, I would doubt the NSA would want their name sullied by being associated with it. Every time I see an "accelerator" program, I'm already smelling some type of BS. Either one trades privacy by having a third party MITM web pages to "accelerate" them, or a program tries reinventing the wheel, trying to redo some established crypto standard, and falling flat.

      As for program updates, there is a very simple way to do it:

      1: Have a set of gpg keys that go with the program.
      2: Come time to check for updates, do a curl, fetch a manifest via https.
      3: Check the manifest against the proper GPG key. If the manifest doesn't validate, cough up an error.
      4: If the manifest is properly signed, go and fetch files and their .sig files via https.
      5: Check the .sig files against the downloaded files.
      6: If all jives, apply and patch.

      SSL handles transport, gpg handles the authenticity if there is an update, and what the updated files are. If a CA is compromised and someone injects bogus files, they will be stopped at step #3 or #5, with the only practical attacks being linking the files to /dev/zero (so the curl command keeps going), or trying to find where the private key is located and compromise that.

    5. Re: Doubledy Dupey Drats by Anonymous Coward · · Score: 0

      Even after a clean reinstall of Windows, the os will grab the Lenovo malware installer stored in the bios and install it under the system account.

      There is no such thing as a "clean" install of Windows anymore.

      All of this crap is put right back on without asking or even informing you.

    6. Re: Doubledy Dupey Drats by Anonymous Coward · · Score: 0

      This is a lie

    7. Re: Doubledy Dupey Drats by Coren22 · · Score: 1

      Even with Windows 7 you could just download the CD from MS. The big thing though is that you need to pull the drive. Often, the install process nowadays pulls the drivers and installs software that is detailed in the recovery partition. So even if you use an ISO from MS directly, it will install the crapware.

      --
      APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
  3. That's one way to stop bloatware! by ErichTheRed · · Score: 3, Interesting

    I wouldn't be surprised if more attacks don't start targeting the installed-by-default bloatware on most home and some business PCs. From what I've seen, these steaming piles are usually written by the cheapest offshore dev place the vendor could find, or are licensed reskinned third-party applications using a million out of date components. The good news is that there are fewer vendor-specific tools absolutely _required_ to run hardware on a Windows laptop anymore because Microsoft provides native controls for most components in Windows 10. The bad news is that the few that remain required are very tied to the hardware and probably have a lot of privilege use on the system that people don't know about. Just look at what happens on some HP laptops when you press the Volume or Brightness keys -- CPU spikes for a few seconds while Windows loads whatever .NET module HP wrote to talk to the device driver and tell it to do its thing. I doubt any of that interaction is heavily audited or even well tested before it goes out.

    All the more reason to just wipe the machine and install a clean OS build from scratch when you get it!

    1. Re:That's one way to stop bloatware! by bmo · · Score: 1

      I wouldn't be surprised if more attacks don't start targeting the installed-by-default bloatware on most home and some business PCs.

      https://duo.com/blog/out-of-bo...


      "The level of sophistication required to exploit most of the vulnerabilities we found is somewhere between that possessed by a coffee stain on the Duo lunch room floor and your average potted plant - meaning, trivial."

      --
      BMO

    2. Re:That's one way to stop bloatware! by U2xhc2hkb3QgU3Vja3M · · Score: 2

      "The level of sophistication required to exploit most of the vulnerabilities we found is somewhere between that possessed by a coffee stain on the Duo lunch room floor and your average potted plant - meaning, trivial."

      That sounds like something Douglas Adams would have wrote.

  4. This headline brought to you by... by theIsovist · · Score: 1

    This headline brought to you by the department of redundancy department.

    1. Re:This headline brought to you by... by __aaclcg7560 · · Score: 1

      One application application to rule them all.

    2. Re:This headline brought to you by... by U2xhc2hkb3QgU3Vja3M · · Score: 5, Funny

      You know we're all in big trouble once the Department of recursivity department merges with the Department of redundancy department.

  5. Accelerator Application Application? by jddj · · Score: 3, Funny

    The app so nice, they had to name it twice?

    Or maybe it's an Application Application because of two-factor?

  6. Hey Moderator, get rid of that HP logo at the top. by Anonymous Coward · · Score: 0

    The Slashdot post and the article referenced has to do mostly with Lenovo, not HP.

  7. Lenovo Laptops by CrashNBrn · · Score: 4, Informative

    NTLite + (Windows10 ISO | Insider Preview ISO) + slipstreamed Lenovo Drivers + create ISO.
    Rufus to USB Stick (GPT Partition Scheme, FAT32).
    Clean Install Windows 10. Change License key to: VK7JG-NPHTM-C97JM-9MPGT-3V66T
    Change License key to purchased Windows 10 Pro key. Register.

    Don't even bother trying to use the recommended Media Creation Tool. When you have a OEM Windows machine it appears to ALWAYS fail to actually create the media (usb stick).

    1. Re:Lenovo Laptops by CrashNBrn · · Score: 1

      Addenum:
      Windows 10 Pro licenses for $29.99.. Granted, I was skeptical, but the licenses are valid, and they (Bonanza) have guaranteed refunds along with payment via Paypal or Amazon Pay.

    2. Re:Lenovo Laptops by eumoria · · Score: 1

      I manage over 200 computers both from Lenovo and Dell and have experienced this 0 times. What does it do when it fails? Is there data on the stick but not booting? Does the media creation tool give an error of some kind?

    3. Re:Lenovo Laptops by CrashNBrn · · Score: 1

      <NOTE>: You will need to turn off "secure boot" in the UEFI (BIOS) to install a non-signed ISO.

    4. Re:Lenovo Laptops by CrashNBrn · · Score: 1

      windows activation error code 0xc004f014:
      Error Code 0x80070456 - 0xA0019 - Windows 10 Media Creation Tool - USB - Microsoft Community

      On both my HP Laptop with Win 8 Home. And my Lenovo Laptop with Win 10 Home. The Media Creation Tool downloads the ISO to "somewhere". Then promptly fails to actually create the media (USB) with the aforementioned error.

    5. Re:Lenovo Laptops by CrashNBrn · · Score: 1

      Dammit, ignore the activation code google link. Thats from trying to upgrade from OEM Windows Home "N" to Pro, without first putting in the "VK7JG-NPHTM-C97JM-9MPGT-3V66T" key to initiate the upgrade to Pro. Since even though I used a Windows 10 PRO "disc" - due to their being a Lenovo Volume Licensing Windows HOME key burned in the BIOS, the installer puts Windows Home onto your SSD|HD. Then you need to upgrade to Pro. Reboot. Enter Valid Pro key. Register.

    6. Re:Lenovo Laptops by eumoria · · Score: 1

      thank you for the info wow that sucks :( my systems are all 8.1 pro units with the keys stored in hardware so maybe that changes things.

    7. Re:Lenovo Laptops by RubberDogBone · · Score: 1

      G2A is another retailer specializing in reselling legitimate software licences. I've used them for Windows licenses and security software licenses, without any issues.

      --
      Sig for hire.
    8. Re:Lenovo Laptops by CrashNBrn · · Score: 0

      Windows 10 is the first time I can honestly say, what Microsoft has done, looks and performs like what a modern version of Win2K should be. The default theme, even is dark. There's a few quirks with ejecting USB that Windows 8 doesn't seem to have. Other than that, best OS from Microsoft in 16 years.

  8. Re:it was always fucking bloat ware by U2xhc2hkb3QgU3Vja3M · · Score: 1, Funny

    This planet has a problem, which is this: most of the people living on it are unhappy pretty much all of the time. Many solutions are suggested for this problem, but most of these are largely concerned with the movement of small green pieces of paper, which is odd because on the whole it isn't the small green pieces of paper that are unhappy.

    Many are increasingly of the opinion that we've all made a big mistake in coming down from the trees in the first place. And some say that even the trees have been a bad move, and that no one should ever have left the oceans.

  9. Self-Fixing Problem by apoc.famine · · Score: 0

    Just use the exploit in the application to uninstall the application. Users who would be effected by the exploit will have the application removed, users who would not be effected will not have it removed.
     
    Is it legal? No. But who among the people that still have this bloatware installed is going to notice?

    --
    Velociraptor = Distiraptor / Timeraptor
    1. Re:Self-Fixing Problem by Anonymous Coward · · Score: 0

      That would just be history repeating itself: http://www.kaspersky.com/news.html?id=228

  10. Upgrade to Win10, then wipe and... by Anonymous Coward · · Score: 0

    do a fresh install from a Win10 iso. That way all crapware from lenovo is gone. Or... Install Linux!

  11. Not Bloatware, SubsidyWare by Anonymous Coward · · Score: 0

    It's not "bloatware", it's "subsidyware".

    The software subsidizes the cost of the hardware. Software makers pay to have this software installed, and the PC maker passes savings on to you!

    Don't like it? Pay the full cost of the hardware.

    Software makers pay between $1-$10 per piece of software, and a typical PC may have hundreds of applications.

    Don't like "bloatware" on your $350 PC, prepare to pay $700.

    Dpn't like "bloatware" on your $500 laptop, prepare to pay $1000.

    1. Re:Not Bloatware, SubsidyWare by __aaclcg7560 · · Score: 1

      Don't like "bloatware" on your $350 PC, prepare to pay $700.

      I can build a nice system from scratch for $350. If I had another $350 on top of that, I would get a nice video card.

    2. Re:Not Bloatware, SubsidyWare by pete6677 · · Score: 2

      The more expensive laptops still have all the same shit installed. Nice troll.

    3. Re:Not Bloatware, SubsidyWare by Holi · · Score: 1

      Would you have a valid license for the same OS? Otherwise add $119 USD.

      --
      Sorry, teleporters just kill you and then make a copy. A perfect, soul-less copy.
    4. Re:Not Bloatware, SubsidyWare by __aaclcg7560 · · Score: 1

      Would you have a valid license for the same OS? Otherwise add $119 USD.

      The $350 would include the Windows license. Amazon has Win7 for $70 and Win10 for $86.

  12. Software and stuff. by Anonymous Coward · · Score: 0

    When I first received my Lenovo laptop I immediately removed the copy of windows it came pre-installed with along with the not-so-wondrous bloatware, and installed a clean copy of Ubuntu after zeroing out the m2 drive.

  13. I bought a Lenovo laptop... once by Anonymous Coward · · Score: 0

    Since I've always loved the "IBM keyboard", I bought a lenovo laptop a couple of years ago. It was so insanely full of bloatware with all forms of stange behavior trying to get me to download more crap, register at suspicious sites etc. I tried to get rid of a lot of it, but the machine was slow and some things did not seem to be possible to get rid of and in the end I had to reinstall Windows. To get a Windows DVD to install from, I had to go to some Lenovo site and pay some money for shipping. And that site tried to get me to pay to some bank in Slovakia (I'm in Sweden) and that's when I went out and bought a new license for Windows. Also the last time I buy anything from Lenovo except for standalone "laptop-ish" keybboard.

    Summary: Spent a number of hours trying to get the machine into shape, had to pay an extra Windwos license and had to spend tie to do a reinstall of Windows before I dared using the machine. After that, the mahcine has served its purpose and I can't complain about the hardware (and works fine as a dual-boot too), but never again that I buy some preinstalled crapware laptop.

  14. Re:it was always fucking bloat ware by Anonymous Coward · · Score: 0

    Do you have an original thought, or just like stealing quotes without attribution?

  15. Dont quote Douglas Adams anot say so. Boooo on you by Anonymous Coward · · Score: 0

    This planet has a problem, which is this: most of the people living on it are unhappy pretty much all of the time. Many solutions are suggested for this problem, but most of these are largely concerned with the movement of small green pieces of paper, which is odd because on the whole it isn't the small green pieces of paper that are unhappy.

    Many are increasingly of the opinion that we've all made a big mistake in coming down from the trees in the first place. And some say that even the trees have been a bad move, and that no one should ever have left the oceans.

    This would be a witty comment if you didn't steal it form Hitchhikers Guide to the Galaxy.

  16. Booo You quoted Douglas Adams and took it as yours by Anonymous Coward · · Score: 0

    Don't quote Hitchhikers Guide to the Galaxy and not give credit. You suck.

  17. VK7JG-NPHTM-C97JM-9MPGT-3V66T? by antdude · · Score: 1

    Why VK7JG-NPHTM-C97JM-9MPGT-3V66T?

    --
    Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
    1. Re:VK7JG-NPHTM-C97JM-9MPGT-3V66T? by CrashNBrn · · Score: 1
      Fix for Upgrading from Windows 10 Home to Windows 10 Pro

      Now you’ll want to enter the default Windows 10 Pro product key as mentioned by Charles From Microsoft:

      From your Windows 10 Home running Version 1511, enter the Windows 10 Pro Default key under change product key.
      VK7JG-NPHTM-C97JM-9MPGT-3V66T This default key will not activate the system, just take you to Pro so you can activate using a valid Pro key that you will provide.

    2. Re:VK7JG-NPHTM-C97JM-9MPGT-3V66T? by antdude · · Score: 1

      Thanks. MS never banned this trick?

      --
      Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).