Top Windows OEM Lenovo Urges Customers To Uninstall Accelerator Application

Two-Factor Authentication service Duo Security reported earlier that third-party updating tools found on Dell, HP, Lenovo, Acer, and Asus (the top five Windows OEMs) are vulnerable to man-in-the-middle attack. Hours later, Lenovo, the world's largest Windows OEM by shipment figure, has issued an advisory in which it urges users to uninstall Accelerator Application, which comes preinstalled on many of its laptops and desktops models. Fortune reports: Specifically, as Lenovo said in an advisory notice, the auto-update feature in its Accelerator Application software can be exploited by a "man-in-the-middle attack" -- someone could get in between the computer and the server pushing out the updated software, fooling the computer into installing a fake version of the update instead of the genuine article. Such attacks can allow anything from surreptitious malware installation to the insertion of surveillance capabilities, or even the hijacking of PCs.

Re:

[U2xhc2hkb3QgU3Vja3M]

This planet has a problem, which is this: most of the people living on it are unhappy pretty much all of the time. Many solutions are suggested for this problem, but most of these are largely concerned with the movement of small green pieces of paper, which is odd because on the whole it isn't the small green pieces of paper that are unhappy.

Many are increasingly of the opinion that we've all made a big mistake in coming down from the trees in the first place. And some say that even the trees have been a ba

Re:

[darkain]

Perfect timing, since a post just went live on the /. homepage about the latest Linux kernel not being able to boot!

Re:

[mspohr]

I don't know about "everything" but it sure would fix this problem.

Re:

[LVSlushdat]

Just say no to bloatware, a clean reinstall of your os is getting to be mandatory.. ANYthing the manufacturer puts on your new computer besides the base os and any basic necessary drivers is BLOATWARE and should be removed.. Of course, *some* of us, when we buy a new pc, take ALL of the spyware/bloatware/crapware off and put Linux on... Guess that makes "Windows NSA edition" bloatware... heh

Re: Doubledy Dupey Drats

[GreenEnvy22]

Almost impossible like this for Windows 8: http://windows.microsoft.com/e... [microsoft.com] And this for Windows 10: http://www.microsoft.com/en-ca... [microsoft.com] It's come a long way since windows 7 and earlier.

Re:

[Coren22]

Even with Windows 7 you could just download the CD from MS. The big thing though is that you need to pull the drive. Often, the install process nowadays pulls the drivers and installs software that is detailed in the recovery partition. So even if you use an ISO from MS directly, it will install the crapware.

Re:

[mlts]

With some bloatware I've come across, I would doubt the NSA would want their name sullied by being associated with it. Every time I see an "accelerator" program, I'm already smelling some type of BS. Either one trades privacy by having a third party MITM web pages to "accelerate" them, or a program tries reinventing the wheel, trying to redo some established crypto standard, and falling flat.

As for program updates, there is a very simple way to do it:

1: Have a set of gpg keys that go with the program.
2:

That's one way to stop bloatware!

[ErichTheRed]

I wouldn't be surprised if more attacks don't start targeting the installed-by-default bloatware on most home and some business PCs. From what I've seen, these steaming piles are usually written by the cheapest offshore dev place the vendor could find, or are licensed reskinned third-party applications using a million out of date components. The good news is that there are fewer vendor-specific tools absolutely _required_ to run hardware on a Windows laptop anymore because Microsoft provides native controls for most components in Windows 10. The bad news is that the few that remain required are very tied to the hardware and probably have a lot of privilege use on the system that people don't know about. Just look at what happens on some HP laptops when you press the Volume or Brightness keys -- CPU spikes for a few seconds while Windows loads whatever .NET module HP wrote to talk to the device driver and tell it to do its thing. I doubt any of that interaction is heavily audited or even well tested before it goes out.

All the more reason to just wipe the machine and install a clean OS build from scratch when you get it!

Re:

[bmo]

I wouldn't be surprised if more attacks don't start targeting the installed-by-default bloatware on most home and some business PCs.

https://duo.com/blog/out-of-bo... [duo.com]

"The level of sophistication required to exploit most of the vulnerabilities we found is somewhere between that possessed by a coffee stain on the Duo lunch room floor and your average potted plant - meaning, trivial."

--
BMO

Re:

[U2xhc2hkb3QgU3Vja3M]

"The level of sophistication required to exploit most of the vulnerabilities we found is somewhere between that possessed by a coffee stain on the Duo lunch room floor and your average potted plant - meaning, trivial."

That sounds like something Douglas Adams would have wrote.

This headline brought to you by...

[theIsovist]

This headline brought to you by the department of redundancy department.

Re:

[__aaclcg7560]

One application application to rule them all.

Re:This headline brought to you by...

[U2xhc2hkb3QgU3Vja3M]

You know we're all in big trouble once the Department of recursivity department merges with the Department of redundancy department.

Accelerator Application Application?

[jddj]

The app so nice, they had to name it twice?

Or maybe it's an Application Application because of two-factor?

Lenovo Laptops

[CrashNBrn]

NTLite [ntlite.com] + (Windows10 ISO [microsoft.com] | Insider Preview ISO [microsoft.com]) + slipstreamed Lenovo Drivers + create ISO.
Rufus [rufus.akeo.ie] to USB Stick (GPT Partition Scheme, FAT32).
Clean Install Windows 10. Change License key to: VK7JG-NPHTM-C97JM-9MPGT-3V66T
Change License key to purchased Windows 10 Pro key. Register.

Don't even bother trying to use the recommended Media Creation Tool [microsoft.com]. When you have a OEM Windows machine it appears to ALWAYS fail to actually create the media (usb stick).

Re:

[CrashNBrn]

Addenum:
Windows 10 Pro licenses for $29.99. [google.com]. Granted, I was skeptical, but the licenses are valid, and they (Bonanza) have guaranteed refunds along with payment via Paypal or Amazon Pay.

Re:

[RubberDogBone]

G2A is another retailer specializing in reselling legitimate software licences. I've used them for Windows licenses and security software licenses, without any issues.

Re:

[eumoria]

I manage over 200 computers both from Lenovo and Dell and have experienced this 0 times. What does it do when it fails? Is there data on the stick but not booting? Does the media creation tool give an error of some kind?

Re:

[CrashNBrn]

windows activation error code 0xc004f014 [google.com]:
Error Code 0x80070456 - 0xA0019 - Windows 10 Media Creation Tool - USB - Microsoft Community [microsoft.com]

On both my HP Laptop with Win 8 Home. And my Lenovo Laptop with Win 10 Home. The Media Creation Tool downloads the ISO to "somewhere". Then promptly fails to actually create the media (USB) with the aforementioned error.

Re:

[CrashNBrn]

Dammit, ignore the activation code google link. Thats from trying to upgrade from OEM Windows Home "N" to Pro, without first putting in the "VK7JG-NPHTM-C97JM-9MPGT-3V66T" key to initiate the upgrade to Pro. Since even though I used a Windows 10 PRO "disc" - due to their being a Lenovo Volume Licensing Windows HOME key burned in the BIOS, the installer puts Windows Home onto your SSD|HD. Then you need to upgrade to Pro. Reboot. Enter Valid Pro key. Register.

Re:

[eumoria]

thank you for the info wow that sucks :( my systems are all 8.1 pro units with the keys stored in hardware so maybe that changes things.

Re:

[CrashNBrn]

Windows 10 is the first time I can honestly say, what Microsoft has done, looks and performs like what a modern version of Win2K should be. The default theme, even is dark. There's a few quirks with ejecting USB that Windows 8 doesn't seem to have. Other than that, best OS from Microsoft in 16 years.

Re:

[CrashNBrn]

<NOTE>: You will need to turn off "secure boot" in the UEFI (BIOS) to install a non-signed ISO.

VK7JG-NPHTM-C97JM-9MPGT-3V66T?

[antdude]

Why VK7JG-NPHTM-C97JM-9MPGT-3V66T?

Re:

[CrashNBrn]

Fix for Upgrading from Windows 10 Home to Windows 10 Pro [rbrussell.com]

Now you’ll want to enter the default Windows 10 Pro product key as mentioned by Charles From Microsoft [microsoft.com]:

From your Windows 10 Home running Version 1511, enter the Windows 10 Pro Default key under change product key.
VK7JG-NPHTM-C97JM-9MPGT-3V66T This default key will not activate the system, just take you to Pro so you can activate using a valid Pro key that you will provide.

Re:

[antdude]

Thanks. MS never banned this trick?

Self-Fixing Problem

[apoc.famine]

Just use the exploit in the application to uninstall the application. Users who would be effected by the exploit will have the application removed, users who would not be effected will not have it removed.
 
Is it legal? No. But who among the people that still have this bloatware installed is going to notice?

Re:

[__aaclcg7560]

Don't like "bloatware" on your $350 PC, prepare to pay $700.

I can build a nice system from scratch for $350. If I had another $350 on top of that, I would get a nice video card.

Re:

[Holi]

Would you have a valid license for the same OS? Otherwise add $119 USD.

Re:

[__aaclcg7560]

Would you have a valid license for the same OS? Otherwise add $119 USD.

The $350 would include the Windows license. Amazon has Win7 for $70 and Win10 for $86.

Re:

[pete6677]

The more expensive laptops still have all the same shit installed. Nice troll.