Bloatwaregate: Lenovo says to delete its preloaded crapware following vulnerability warning
June 8, 2016
Shah Sheikh (1294 articles)

Bloatwaregate: Lenovo says to delete its preloaded crapware following vulnerability warning

HARDWARE COMPANY Lenovo has reacted to reports about its bloody bloatware buggering up personal security by telling people to delete the software that it forced on them in the first place.

Lenovo is one of five companies fingered over this by Duo Security, and is apparently taking news of the vulnerabilities very seriously.

Lenovo said in a security advisory that the best version of the problematic Lenovo Accelerator Application software is a deleted version.

“The Lenovo Accelerator Application is used to speed up the launch of Lenovo applications and was installed in some notebook and desktop systems preloaded with Windows 10,” the firm said.

“Lenovo recommends customers uninstall Lenovo Accelerator Application by going to the ‘Apps and Features’ application in Windows 10, selecting Lenovo Accelerator Application and clicking on ‘Uninstall’.”

In case you were wondering, you may suffer from the blight if you are unfortunate enough to own one of the more than 50 affected devices.

Duo warned that Dell, HP, Asus, Acer and Lenovo laptops have at least one security vulnerability that could let a hacker take control in minutes.

The security firm identified 12 vulnerabilities across the vendors’ machines. We approached all of them to see whether they are happy to talk about the problems, which Duo described as significant.

The problems relate to the bloatware crap that vendors put on laptops. “The OEM software landscape is complicated and includes a depressing amount of superfluous tools for vendor support, free software trials, and other vendor-incentivised crapware. Some apps do nothing more than add a shortcut to launch your web browser to a specific site,” the company said.

“The experience is annoying to most people for a number of reasons. In addition to wasting disk space, consuming RAM, and generally degrading the user experience, OEM software often has serious implications for security.”

These include Superfish, which the firm said was a nightmare problem and is by no means unique.

“Every time something like this happens we are reassured that the offending vendor of the day cares deeply about our security and privacy. Unfortunately, a cursory analysis of most OEM software reveals that very limited, if any, security review was performed,” said Duo.

“It’s well known in the security research community that OEM software is a vulnerability minefield, but finding them is not particularly exciting. But that’s also why OEM software has remained a major security problem.

“So we decided to dig deep to find out just how bad the issue is, and provide recommendations for consumers to protect themselves against the security gaps and annoyance that bloatware presents.”

The report explained that Dell has a high-risk vulnerability called eDellroot, which we have covered before. The security firm said that the threat involves certificate best practices or, as we assume, certificate worst practices. HP has two high ranking flaws that can enable arbitrary code execution and five lesser vulnerabilities.

Asus and Lenovo have one high-risk vulnerability each, again risking arbitrary code execution, while Acer has two and Asus has one medium severity local privilege escalation flaw.

The 10 devices tested were Lenovo Flex 3, HP Envy, HP Stream x360 (Microsoft Signature Edition), HP Stream (UK version), Lenovo G50-80 (UK version), Acer Aspire F15 (UK version), Dell Inspiron 14 (Canada version), Dell Inspiron 15-5548 (Microsoft Signature Edition), Asus TP200S and Asus TP200S (Microsoft Signature Edition).

Source | TheInquirer