In the wake of Duo Security’s report on the critical vulnerabilities sported by Original Equipment Manufacturer (OEM) updaters loaded on popular laptop and desktop computers, Lenovo has advised users to uninstall its Accelerator Application.
“The vulnerability (CVE-2016-3944) resides within the update mechanism where a Lenovo server is queried to identify if application updates are available,” the company explained.
The flaw can be exploited by an attacker with local network access to perform remote code execution and take over control of the machine.
The Accelerator Application is apparently used to speed up the launch of the company’s applications, and is present on some Lenovo consumer notebook and desktop systems preloaded with Windows 10, but not on ThinkPad or ThinkStation devices.
The list of all affected systems can be found in this security advisory. The vulnerable app can be uninstalled through the “Apps and Features” app in Windows 10.
Curiously enough, Duo Security discovered that the company did a great job with another updater: Lenovo Solutions Center. LSC sports a number of security features and no serious vulnerabilities.
“The stark contrast between these two pieces of software from the same vendor exemplifies the incoherent mess that is the OEM software ecosystem,” they noted.