Study Shows Lenovo, Other OEM Bloatware Still Poses Huge Security Risk

from the history-repeats-itself-history-repeats-itself dept

Lenovo hasn't had what you'd call a great track record over the last few years in terms of installing insecure crapware on the company's products. You'll recall that early last year, the company was busted for installing Superfish adware that opened all of its customers up to dangerous man-in-the-middle attacks, then tried to claim they didn't see what all the fuss was about. Not too long after that, the company was busted for using a BiOS trick to reinstall its bloatware on consumer laptops upon reboot -- even if the user had installed a fresh copy of the OS.

Now Lenovo and its bloatware are making headlines once again, with the news that the company's "Accelerator Application" software makes customers vulnerable to hackers. The application is supposed to make the company's other bloatware, software, and pre-loaded tools run more quickly, but Lenovo was forced to issue a security advisory urging customers to uninstall it because it -- you guessed it -- opened them up to man-in-the-middle attacks.

The vulnerability was discovered by Duo Labs as part of a larger report on the security of pre-installed OEM software (pdf). The study found consistent security problems specifically in the software used by OEMs to keep all the other bloatware updated. Such software pretty consistently failed to make even basic use of TLS, properly validate update integrity, or verify the authenticity of update manifest contents, leaving consumers at consistent risk of remote attack. It also found that some companies even had multiple software updaters that occasionally served duplicate purposes, most of which were trivial to exploit:
"Updaters are an obvious target for a network attacker, this is a no-brainer. There have been plenty of attacks published against updaters and package management tools in the past, so we can expect OEM’s to learn from this, right? Spoiler: we broke all of them (some worse than others). Every single vendor had at least one vulnerability that could allow for a man-in-the-middle (MITM) attacker to execute arbitrary code as SYSTEM. We’d like to pat ourselves on the back for all the great bugs we found, but the reality is, it’s far too easy."
And again, to be clear, Lenovo wasn't alone in being incompetent here. In fact, the firm tried to find any vendor whose bloatware didn't pose a security risk, and they couldn't actually do so:
Here's a novel idea: if OEMs can't actually learn from past mistakes and secure their bloatware, how about they do us all a favor and stop installing such crapware in the first place?

Filed Under: adware, bloatware, computers, spyware
Companies: lenovo

Reader Comments

Subscribe: RSS

View by: Time | Thread

  1. icon
    That One Guy (profile), 3 Jun 2016 @ 3:50pm

    Let's be reasonable here

    Here's a novel idea: if OEMs can't actually learn from past mistakes and secure their bloatware, how about they do us all a favor and stop installing such crapware in the first place?

    There's good money in shoveling crapware onto unsuspecting customers, money that might decrease if they actually had to make their software secure, so expecting them to stop dumping it on people isn't likely to happen any time soon.

    Instead focus on making to so that people can more easily remove said crapware and secure their own systems, something that both decreases the risk to the owner of the device it was previously infecting and offers up the perfect opportunity to point and laugh when the crapware vendors start whining about how people are uninstalling their rubbish programs.

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here

Subscribe to the Techdirt Daily newsletter

Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Special Affiliate Offer

Essential Reading
Techdirt Insider Chat
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it

Email This

This feature is only available to registered users. Register or sign in to use it.