Last year, security researchers discovered Lenovo was shipping laptops with the worst security flaw since the infamous Sony rootkit debacle of 2005. Lenovo initially promised that it would avoid shipping all such applications with Windows 10, and declared it wouldmake changes to its own evaluation process to ensure it only shipped cleaner, safer PCs(Emphasis original).
It hasn’t taken the company very long to break that promise. Lenovo has released a high priority security update, informing users that one application it ships, the Lenovo Application Accelerator, has a critical flaw. The notification states:
A vulnerability was identified in the Lenovo Accelerator Application software which could lead to exploitation by an attacker with man-in-the-middle capabilities. The vulnerability resides within the update mechanism where a Lenovo server is queried to identify if application updates are available.
The Lenovo Accelerator Application is used to speed up the launch of Lenovo applications and was installed in some consumer notebook and desktop systems preloaded with the Windows 10 operating system. Lenovo is calling for users to remove the application as a result of a Duo Labs investigation that discovered that the update mechanism used in the Lenovo Application Accelerator is fundamentally broken, with no protection against man-in-the-middle attacks. It also contains a flaw that allows for arbitrary code execution on the target machine .
The full report by Duo Labs notes that while one of the two Lenovo update agents was truly hardened against attacks, the complete lack of security around the other “exemplifies the incoherent mess that is the OEM software ecosystem.”
The report continues:
Lenovo’s UpdateAgent was one of the worst updaters we looked at, providing no security features whatsoever. Executables and manifests are transmitted in the clear and no code signing checks are enforced… Lenovo UpdateAgent does not validate signatures of applications it downloads and executes. No attempts are made to enforce the authenticity or publisher for executables retrieved by the updater… Lenovo UpdateAgent does not make use of TLS for the transmission of the manifest or any subsequently retrieved executable files. Executables and manifests can easily be modified in transit.
The report also notes that Lenovo’s Solutions Center is one of the best updaters from a major OEM. Unfortunately, both were shipping out on Lenovo systems for quite some time; Lenovo’s list of affected systems contains 78 laptop versions (though some are within the same product line) and 39 desktops.