Lenovo Bloatware Haunts OEM Laptops

You might be at risk if you are using a brand computer and you haven’t uninstalled all the software that came already preinstalled on it, such as Lenovo bloatware. Not only can the preinstalled software slow down your computer, but it can also allow unauthorized access to your private data.

A security analysis of OEM updaters

Earlier this month, Lenovo issued a security advisory that advised users to uninstall the Accelerator Application because of its insecure update mechanism. This discovery was the result of research completed by security company Duo Labs, which is responsible for reporting this vulnerability.

The same security research firm published a paper in 2015 entitled “Dude, You Got Dell’d – Publishing Your Privates” which led to the discovery of potential man-in-the-middle attacks against Dell laptop computers shipped with insecure security certificates. For example, in a real world scenario, if a user was using their Dell Inspiron 14 laptop at a coffee shop, an attacker sitting in the shop and utilizing the same Wi-Fi network could potentially intercept all of the user’s encrypted traffic, including sensitive data like bank passwords, emails, etc.

This time, they took it a step further and tested OEM updaters for preinstalled software on 10 different laptop systems shipped with an out-of-box configuration, after any pending updates were applied. They also published the basic features from some of the updaters:

While focusing on potential man-in-the-middle attacks, which are considered to be the simplest and most common cyber attack methods, it was concluded that every vendor shipped with a vulnerable preinstalled updater that could allow for a complete compromise of the affected machine. High severity security holes were identified in preinstalled software shipped with laptops from the following manufacturers: Acer, Asus, Dell, Hewlett-Packard, and Lenovo.

Lenovo bloatware vulnerability: High severity

The most distressing of all have been the vulnerabilities discovered in Lenovo’s UpdateAgent, which “provides no security features whatsoever,” according to researchers at Duo Labs. The Application Programmable Interface (API) calls made by Lenovo’s UpdateAgent can be intercepted and modified in order to obtain the necessary conditions for remote code execution by an attacker with local network access.

Exploitation of this vulnerability may allow a remote attacker to take control of an affected system. As a result, it is recommended that users uninstall Lenovo UpdateAgent from more than 110 notebook and desktop models running Windows 10 OS. For a complete list of the affected Lenovo notebooks and desktops, please read the security advisory. According to Lenovo, the vulnerable Accelerator Application was never installed on ThinkPad or ThinkStation devices.

Notebook systems shipped with vulnerable Lenovo bloatware:

100/100s/110
305
700
300/300S
310
500/500S
700S
B40-30/B40-45/B40-45/B40-80
B41-30/B41-35/B41-80
B50-10/B50-30/B50-30 Touch/B50-45/B50-50/B50-80/B51-30/B51-35/B51-80/B70-80/B71-80
E31-70/E31-80/E40-30/E40-80/E41-10/E41-15/E41-80/E50-30/E50-80/E51-80
Edge 15
Edge 2-1580
Erazer N40-30/Erazer N40-45
Erazer N50-45/Erazer N50-45
Erazer Z41-70
Erazer Z51-70
FLEX 2 Pro
FLEX 3
FLEX 4
G40-45/G40-80/G40-80m
G41-35
G50/G50-45/G50-80/G50-80m/G50-80Touch
G51-35
G70-35/G70-80
G50
K20-80
K21-80
K41-70/K41-80
M41-70
M51-80
MIIX 3
MIIX 300/MIIX310
MIIX 700
N22 Winbook
N41-35
N51-35
S21e-20
S41-35/S41-70/S41-75
TianYi 300
U31-70
U41-70
V4000
XiaoXin 700
XiaoXin Air 12
Y50-70/Y50-70 Touch
Y50c
Y700/Y700 Touch
Y70-70 Touch
Y900
Yoga 2
YOGA 3 14
Yoga 3 Pro
Yoga 300
YOGA 500/YOGA 510
YOGA 700/YOGA 710/YOGA 900/YOGA 900S
Z40-70/Z40-75
Z50-70/Z50-75
Z41-70
Z51-70
Z70-80

Desktop systems shipped with vulnerable Lenovo bloatware:

50050C/50100E/50550A/50600I
A3300
A7300
A8150
B40
C20
C40
C50
C560
D3000
D5010/ D5050/ D5055
F5005/ F5050/ F5055
G5005/ G5010/ G5050/ G5055
H3005
H30-50
H5005/ H5055
H50-50
IdeaCentre 200
IdeaCentre 300/300S
IdeaCentre 510/510S
IdeaCentre 700
M7300z
M8300z/M8350z
M9550z
Yoga Home 500

Found Lenovo bloatware on a laptop or desktop model not listed in the security advisory? Open a support ticket with our support team and we will be glad to assist you in determining if you should remove it or not.

What you should do to protect yourself

Based on the Lenovo Security Advisory: LEN-6718, there are three official ways to uninstall Lenovo Accelerator Application, as described here:

1. In Lenovo System Update, click on “Get new updates” and follow the prompts to uninstall Lenovo Accelerator Application. This update will also run automatically if a user has not disabled the “Automatically download and install updates” option.
2. Download and run the Lenovo Accelerator Application removal tool available here. Using this verified removal tool, you should be able to remove vulnerable Lenovo bloatware without leaving any software traces behind.
3. Go to the “Apps and Features” application in Windows 10, select Lenovo Accelerator Application and click on “Uninstall.”

Better bloatware-free than sorry

As was recently concluded in our own research “Software Uninstaller Comparison – How to fully remove QuickTime from Windows,” popular software does not always fully uninstall itself using its own uninstaller. After using the software’s own uninstaller to remove the vulnerable QuickTime software, we have concluded that there were plenty of QuickTime software traces (more than 1500 different file system and registry elements) left behind in our test system.

In some cases, removing QuickTime using its own uninstaller left behind its registry entries as well as its executables. Most likely this leaves the computer vulnerable to the security issues identified in the software. Luckily, jv16 PowerTools is known for its improved ability to detect software leftovers.

We recommend everyone to follow these steps to ensure the safety of their computer due to the possible security issues related with Lenovo bloatware:

1. Download and install jv16 PowerTools

2. Open jv16 PowerTools – Software Uninstaller and see if it finds Lenovo Accelerator Application in your system. Notice that it may be under Installed Software or under Possible Leftover Traces.

3. If Lenovo Accelerator Application or its leftovers are found, allow jv16 PowerTools to remove them from your system.

Further tests yet to be performed

For analyzing QuickTime, the Windows 10 based tests were performed using a virtual computer running Windows 10 build 1511 (64 bit) with a base memory of 4096 MB (RAM), with two logical CPU cores and 50 GB of hard disk space. Windows updates were disabled for the test environment to ensure the system was not changed during the testing period.

The Lenovo Accelerator Application (part of Lenovo QuickOptimizer program) is used to speed up the launch of Lenovo applications and it was installed in some notebook and desktop systems preloaded with Windows 10. Obviously, doing a similar test such as the one we did for QuickTime requires select Lenovo computers:

In a follow-up blog entry, our intention is to outline the test results for Lenovo IdeaPad 300 (one of the affected systems) and find out if there are any software leftovers remaining on the system after Lenovo Accelerator Application has been uninstalled using its own uninstaller.

Lenovo bloatware in summary

Learning more about Lenovo bloatware or other OEM bloatware existing in your system is easy with jv16 PowerTools as the Software Uninstaller tool and has been greatly improved to detect and remove software leftovers. Download our product and activate a free, fully functional 60-day trial license to clean and speed up your computer.

Note: jv16 PowerTools X is a commercial software product. The above link will download the free trial version which can be fully used to uninstall Lenovo bloatware or other OEM bloatware residing in your system. There is no bundled software, no adware, no spyware, and no hidden surprises. Always backup your computer before using jv16 PowerTools or any other similar software.