closingyear, protection researchers observed Lenovo changed intoshipping laptops with the worst protection flaw because thenotorious Sony rootkit debacle of 2005. Lenovo initially promised that it wouldavoidtransport all such programs with home windows 10, and declared it’d make changes to its personalassessmentmethod to make sure it simplest shipped cleaner, saferdesktops (Emphasis authentic).
It hasn’t taken the employer very longto break that promise. Lenovo has released a highprecedenceprotectionupdate, informing customers that one software it ships, the Lenovo utility Accelerator, has a vital flaw. The notification states:
A vulnerability turned intodiagnosedin the Lenovo Accelerator applicationsoftware programthat canresult in exploitation by an attacker with man-in-the-centerabilities. The vulnerability is livingin theupdate mechanism wherein a Lenovo server is queried to identify if utility updates are available.
The Lenovo Accelerator utility is used to speed up the release of Lenovo packages and changed intoset up in somecustomernotebook and laptopsystems preloaded with the windows 10 workingsystem. Lenovo is calling for users to do away with the softwarebecause of a Duo Labs research that observed that the replace mechanism used in the Lenovo software Accelerator is basicallybroken, without aprotectiontowardsman-in-the-middleattacks. It alsoconsists of a flaw that lets in for arbitrary code execution at thegoalgadget .
the fullfileby way of Duo Labs notes that whilstone of the Lenovo replaceretailersbecomecertainly hardened towardsassaults, the completeloss ofprotectionaroundthe other “exemplifies the incoherent mess that is the OEM software programenvironment.”
Lenovo’s UpdateAgent turned intoone of the worst updaters we checked out, imparting no securityfeatureswhatsoever. Executables and manifests are transmitted inside theclear and no code signing checks are enforced… Lenovo UpdateAgent does not validate signatures of applications it downloads and executes. No tries are made to put in force the authenticity or writer for executables retrieved through the updater… Lenovo UpdateAgent does no longermake use of TLS for the transmission of the occur or any ultimately retrieved executable files. Executables and manifests can without difficulty be modified in transit.
The fileadditionally notes that Lenovo’s answersmiddle is one of thehigh-quality updaters from a main OEM. sadly, eachweretransport out on Lenovo systems for quitea while; Lenovo’s listing of affected structurescontainsseventy eightcomputerversions (althougha few are in theequal product line) and 39 computer systems.
Why unmarried out Lenovo?
One point we want to hit head-on is why we’re specializing in Lenovo whilsteachproducer had extreme flaws. more or less 15 months ago, Lenovo pledged itself to constructingcleanser, saferdesktops. It declared that the onesdesktopscould be geared up for home windows 10. It similarly promised to solicit remarks from “our personcommunity and industryexperts to make surewe’ve the properprograms and exceptionalconsumerrevel in. We view thesemoves as a start line. We accept as true with that these steps will make our erahigher, more secure and greaterat ease.”
right here’s the in reality telling line from Lenovo’s protectiondeclaration: The Lenovo Accelerator utilityturned intoin no wayset up on ThinkPad or ThinkStation gadgets. In differentwords, it wasn’t installedon thecompany’s enterprise–magnificence product strains; most effective its client–magnificencelines like Yoga and IdeaPad. That’s precisely the sameprotection Lenovo offered with Superfish. lastyear, I saidi mightneversuggestevery other Lenovo devicetill the companypresentedevidence that it had cleaned up its act and glued its softwareassessmentsystem. The fully hardened Lenovo solutionmiddleproven above? Lenovo’s ownwebsite describes it as: “LSC comes preloaded on structures with home windows 7, home windows8, home windows8.1 and home windows 10, 32- and 64-bit, including ThinkPad, ThinkPad pill, ThinkCentre and ThinkStation, IdeaCentre, and choose IdeaPads. (Emphasis brought).
in case youown a suppose-branded commercial enterprisemachine, Lenovo takes your securitycritically. if you don’t, it doesn’t supply a shit. movesspeak louder than phrases, and the reality that the companyis stillselling substandard software programgreater than a 12 months after it pledged to improve its safety is evidence that nothing has modified.
No, the hassle isn’t precise to Lenovo. Acer, Asus, Dell, and HP all want to easy their ownhomes and relaxed their software, as soon as and for all. openingusers to assaultsthrumountedsoftwarehave toby no means be taken into consideration a fee of doing enterprise. as the Duo record notes, thoseprograms are all taken into considerationstraightforward, due to the fact thatthey arriveimmediately from the manufacturers themselves, meaning they’re included — even on “Signature” laptopvariantssoldby using the Microsoft shop. This isn’t only a Lenovo problem, and the securityfile makes that clean. nonetheless, Lenovo is the onlylaptopcompanystill throwing its consumersunder the bus 15 months after a criticalsecurity breach. if you’re looking for a laptop, we nonethelessadvocatesearchingsome other place. simplydue to the factthose flaws aren’t present on assume-branded systems doesn’t imply Lenovo have to be rewarded for shipping substandard purchaserproducts.