Top Windows OEM Lenovo Urges Customers To Uninstall Accelerator Application

Two-Factor Authentication service Duo Security reported earlier that third-party updating tools found on Dell, HP, Lenovo, Acer, and Asus (the top five Windows OEMs) are vulnerable to man-in-the-middle attack. Hours later, Lenovo, the world's largest Windows OEM by shipment figure, has issued an advisory in which it urges users to uninstall Accelerator Application, which comes preinstalled on many of its laptops and desktops models. Fortune reports: Specifically, as Lenovo said in an advisory notice, the auto-update feature in its Accelerator Application software can be exploited by a "man-in-the-middle attack" -- someone could get in between the computer and the server pushing out the updated software, fooling the computer into installing a fake version of the update instead of the genuine article. Such attacks can allow anything from surreptitious malware installation to the insertion of surveillance capabilities, or even the hijacking of PCs.

That's one way to stop bloatware!

[ErichTheRed]

I wouldn't be surprised if more attacks don't start targeting the installed-by-default bloatware on most home and some business PCs. From what I've seen, these steaming piles are usually written by the cheapest offshore dev place the vendor could find, or are licensed reskinned third-party applications using a million out of date components. The good news is that there are fewer vendor-specific tools absolutely _required_ to run hardware on a Windows laptop anymore because Microsoft provides native controls for most components in Windows 10. The bad news is that the few that remain required are very tied to the hardware and probably have a lot of privilege use on the system that people don't know about. Just look at what happens on some HP laptops when you press the Volume or Brightness keys -- CPU spikes for a few seconds while Windows loads whatever .NET module HP wrote to talk to the device driver and tell it to do its thing. I doubt any of that interaction is heavily audited or even well tested before it goes out.

All the more reason to just wipe the machine and install a clean OS build from scratch when you get it!

Re:Doubledy Dupey Drats

[LVSlushdat]

Just say no to bloatware, a clean reinstall of your os is getting to be mandatory.. ANYthing the manufacturer puts on your new computer besides the base os and any basic necessary drivers is BLOATWARE and should be removed.. Of course, *some* of us, when we buy a new pc, take ALL of the spyware/bloatware/crapware off and put Linux on... Guess that makes "Windows NSA edition" bloatware... heh