This site may earn affiliate commissions from the links on this folio. Terms of use.

Lenovo

Last year, security researchers discovered Lenovo was shipping laptops with the worst security flaw since the infamous Sony rootkit debacle of 2005. Lenovo initially promised that it would avoid shipping all such applications with Windows 10, and declared information technology would make changes to its ain evaluation process to ensure it simply shipped cleaner, safer PCs (Emphasis original).

It hasn't taken the company very long to intermission that hope. Lenovo has released a high priority security update, informing users that one application information technology ships, the Lenovo Application Accelerator, has a critical flaw. The notification states:

A vulnerability was identified in the Lenovo Accelerator Application software which could lead to exploitation past an attacker with man-in-the-centre capabilities. The vulnerability resides inside the update mechanism where a Lenovo server is queried to identify if application updates are available.

The Lenovo Accelerator Application is used to speed up the launch of Lenovo applications and was installed in some consumer notebook and desktop systems preloaded with the Windows ten operating arrangement. Lenovo is calling for users to remove the application as a issue of a Duo Labs investigation that discovered that the update machinery used in the Lenovo Awarding Accelerator is fundamentally broken, with no protection against man-in-the-middle attacks. Information technology besides contains a flaw that allows for arbitrary lawmaking execution on the target machine .

OEM-vendor-issues

The total report past Duo Labs notes that while one of the two Lenovo update agents was truly hardened confronting attacks, the complete lack of security around the other "exemplifies the breathless mess that is the OEM software ecosystem."

The report continues:

Lenovo'due south UpdateAgent was one of the worst updaters we looked at, providing no security features whatsoever. Executables and manifests are transmitted in the articulate and no lawmaking signing checks are enforced… Lenovo UpdateAgent does non validate signatures of applications information technology downloads and executes. No attempts are made to enforce the authenticity or publisher for executables retrieved by the updater… Lenovo UpdateAgent does non make utilise of TLS for the transmission of the manifest or any afterwards retrieved executable files. Executables and manifests can hands exist modified in transit.

The study also notes that Lenovo'due south Solutions Eye is ane of the best updaters from a major OEM. Unfortunately, both were shipping out on Lenovo systems for quite some time; Lenovo's list of afflicted systems contains 78 laptop versions (though some are inside the same production line) and 39 desktops.

Why single out Lenovo?

I betoken we want to hitting head-on is why we're focusing on Lenovo when every manufacturer had serious flaws. Roughly 15 months ago, Lenovo pledged itself to building cleaner, safer PCs. Information technology alleged that those PCs would exist ready for Windows ten. Information technology further promised to solicit feedback from "our user community and industry experts to ensure nosotros accept the correct applications and best user experience. We view these actions as a starting indicate. We believe that these steps will make our engineering science ameliorate, safer and more secure."

Here'south the really telling line from Lenovo's security announcement: The Lenovo Accelerator Application was never installed on ThinkPad or ThinkStation devices. In other words, information technology wasn't installed on the company's business-class product lines; only its consumer-course lines similar Yoga and IdeaPad. That's exactly the same defense Lenovo offered with Superfish. Last yr, I stated I would never recommend some other Lenovo system until the company offered show that it had cleaned up its human activity and stock-still its software evaluation procedure. The fully hardened Lenovo Solution Middle shown higher up? Lenovo's own website describes it as: "LSC comes preloaded on systems with Windows 7, Windows 8, Windows 8.i and Windows 10, 32- and 64-bit, including ThinkPad, ThinkPad Tablet, ThinkCentre and ThinkStation, IdeaCentre, and select IdeaPads. (Emphasis added).

If yous own a Call back-branded business concern system, Lenovo takes your security seriously. If you don't, it doesn't give a shit. Actions speak louder than words, and the fact that the visitor is still selling substandard software more than than a year after it pledged to better its security is proof that nothing has changed.

No, the problem isn't unique to Lenovo. Acer, Asus, Dell, and HP all need to clean their own houses and secure their software, once and for all. Opening users to attacks via installed software should never be considered a toll of doing business concern. As the Duo report notes, these applications are all considered trustworthy, since they come directly from the manufacturers themselves, significant they're included — fifty-fifty on "Signature" PC editions sold by the Microsoft shop. This isn't just a Lenovo issue, and the security written report makes that clear. Withal, Lenovo is the only PC company still throwing its consumers nether the double-decker fifteen months afterwards a critical security alienation. If you're looking for a laptop, we still recommend looking elsewhere. Just considering these flaws aren't present on Recall-branded systems doesn't mean Lenovo should be rewarded for shipping substandard consumer products.