Slashdot Mirror
Top Windows OEM Lenovo Urges Customers To Uninstall Accelerator Application (lenovo.com)
Two-Factor Authentication service Duo Security reported earlier that third-party updating tools found on Dell, HP, Lenovo, Acer, and Asus (the top five Windows OEMs) are vulnerable to man-in-the-middle attack. Hours later, Lenovo, the world's largest Windows OEM by shipment figure, has issued an advisory in which it urges users to uninstall Accelerator Application, which comes preinstalled on many of its laptops and desktops models. Fortune reports: Specifically, as Lenovo said in an advisory notice, the auto-update feature in its Accelerator Application software can be exploited by a "man-in-the-middle attack" -- someone could get in between the computer and the server pushing out the updated software, fooling the computer into installing a fake version of the update instead of the genuine article. Such attacks can allow anything from surreptitious malware installation to the insertion of surveillance capabilities, or even the hijacking of PCs.
I wouldn't be surprised if more attacks don't start targeting the installed-by-default bloatware on most home and some business PCs. From what I've seen, these steaming piles are usually written by the cheapest offshore dev place the vendor could find, or are licensed reskinned third-party applications using a million out of date components. The good news is that there are fewer vendor-specific tools absolutely _required_ to run hardware on a Windows laptop anymore because Microsoft provides native controls for most components in Windows 10. The bad news is that the few that remain required are very tied to the hardware and probably have a lot of privilege use on the system that people don't know about. Just look at what happens on some HP laptops when you press the Volume or Brightness keys -- CPU spikes for a few seconds while Windows loads whatever .NET module HP wrote to talk to the device driver and tell it to do its thing. I doubt any of that interaction is heavily audited or even well tested before it goes out.
All the more reason to just wipe the machine and install a clean OS build from scratch when you get it!
This headline brought to you by the department of redundancy department.
Just say no to bloatware, a clean reinstall of your os is getting to be mandatory.. ANYthing the manufacturer puts on your new computer besides the base os and any basic necessary drivers is BLOATWARE and should be removed.. Of course, *some* of us, when we buy a new pc, take ALL of the spyware/bloatware/crapware off and put Linux on... Guess that makes "Windows NSA edition" bloatware... heh
THANK YOU, Edward Snowden!! Americans owe you a debt of gratitude (whether they know it or not..)
The app so nice, they had to name it twice?
Or maybe it's an Application Application because of two-factor?
NTLite + (Windows10 ISO | Insider Preview ISO) + slipstreamed Lenovo Drivers + create ISO.
Rufus to USB Stick (GPT Partition Scheme, FAT32).
Clean Install Windows 10. Change License key to: VK7JG-NPHTM-C97JM-9MPGT-3V66T
Change License key to purchased Windows 10 Pro key. Register.
Don't even bother trying to use the recommended Media Creation Tool. When you have a OEM Windows machine it appears to ALWAYS fail to actually create the media (usb stick).
Almost impossible like this for Windows 8: http://windows.microsoft.com/e... And this for Windows 10: http://www.microsoft.com/en-ca... It's come a long way since windows 7 and earlier.
This planet has a problem, which is this: most of the people living on it are unhappy pretty much all of the time. Many solutions are suggested for this problem, but most of these are largely concerned with the movement of small green pieces of paper, which is odd because on the whole it isn't the small green pieces of paper that are unhappy.
Many are increasingly of the opinion that we've all made a big mistake in coming down from the trees in the first place. And some say that even the trees have been a bad move, and that no one should ever have left the oceans.
Perfect timing, since a post just went live on the /. homepage about the latest Linux kernel not being able to boot!
Don't like "bloatware" on your $350 PC, prepare to pay $700.
I can build a nice system from scratch for $350. If I had another $350 on top of that, I would get a nice video card.
The more expensive laptops still have all the same shit installed. Nice troll.
With some bloatware I've come across, I would doubt the NSA would want their name sullied by being associated with it. Every time I see an "accelerator" program, I'm already smelling some type of BS. Either one trades privacy by having a third party MITM web pages to "accelerate" them, or a program tries reinventing the wheel, trying to redo some established crypto standard, and falling flat.
As for program updates, there is a very simple way to do it:
1: Have a set of gpg keys that go with the program. .sig files via https. .sig files against the downloaded files.
2: Come time to check for updates, do a curl, fetch a manifest via https.
3: Check the manifest against the proper GPG key. If the manifest doesn't validate, cough up an error.
4: If the manifest is properly signed, go and fetch files and their
5: Check the
6: If all jives, apply and patch.
SSL handles transport, gpg handles the authenticity if there is an update, and what the updated files are. If a CA is compromised and someone injects bogus files, they will be stopped at step #3 or #5, with the only practical attacks being linking the files to /dev/zero (so the curl command keeps going), or trying to find where the private key is located and compromise that.
Would you have a valid license for the same OS? Otherwise add $119 USD.
Sorry, teleporters just kill you and then make a copy. A perfect, soul-less copy.
Would you have a valid license for the same OS? Otherwise add $119 USD.
The $350 would include the Windows license. Amazon has Win7 for $70 and Win10 for $86.
I don't know about "everything" but it sure would fix this problem.
I don't read your sig. Why are you reading mine?
Why VK7JG-NPHTM-C97JM-9MPGT-3V66T?
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
Even with Windows 7 you could just download the CD from MS. The big thing though is that you need to pull the drive. Often, the install process nowadays pulls the drivers and installs software that is detailed in the recovery partition. So even if you use an ISO from MS directly, it will install the crapware.
APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?