back to article Lenovo cries 'dump our support app' after 'critical' hole found

Lenovo is warning users to uninstall its Accelerator support application after it was revealed to have what it says are serious interception vulnerabilities. The company is one of five vendors caught pre-installing dangerously-vulnerable OEM software. Duo Security researcher Mikhail Davidov reported the holes that would allow …

  1. redpawn

    Clean install Windows or Linux

    After Super Fish and bucket loads of insecure vendorware your only good option is a clean install while avoiding OEM drivers if you possibly can. The hardware these days is mostly nice and reasonably priced but the crapware and toxicware are too much. Clean install Windows if you must use Windows on these machines. Our Lenovo Yoga runs Linux just fine except for the screen to auto-rotate when in tablet mode feature does not work, a minor inconvenience in comparison to being spied on all the time.

    1. Anonymous Coward
      Anonymous Coward

      Re: Clean install Windows or Linux

      I'm pre-empting that someone will point out that laptops rarely come with install CDs and the restore partition which wastes space at the end of your HDD/SSD will just restore the manufacturer's image, complete with crapware.

      You can download vanilla installation disks from Microsoft. The licence is embedded in the firmware of your laptop so will be reapplied to the fresh install in the case of Windows 8 or 10. For Windows 7, you'll need to write down your existing key (Produkey is the best tool for this IMO - bear in mind some virus killers will flag this as malware because it gets your product key out of the registry, funnily enough.) When you reinstall Windows 7, just enter the key and re-activate and it'll be fine as it's the same hardware.

      It's worth shrinking down your Windows system partition to the smallest it will go and installing alongside on a new partition. That way when there are missing drivers you can get them from your old Windows partition.

      Or you can install Linux, which is generally far less hassle.

      It's a good opportunity to wipe your SSD/HDD and start again. There are some on this site who don't realise that people have valid reasons for sticking with Windows, but it's easy enough to create a dual-boot system and this is a good time to do it. Install Windows, but only allocate 30-50 GB for it and install Linux to another partition. If you don't like it, it's easy to delete.

      There are few good reasons for sticking with OEM builds.

      1. Anonymous Coward
        Anonymous Coward

        Re: Clean install Windows or Linux

        "When you reinstall Windows 7, just enter the key and re-activate and it'll be fine as it's the same hardware."

        I'm not sure that always works? I've had Win 7 installations reject the OEM key that came with the PC, but it's so far back in time I can't remember the reasons it gave.

        Didn't know about the 8 onwards storing a key in the BIOS though, that's definitely useful to know, and frankly amazed that it works!

        1. Hans 1
          Windows

          Re: Clean install Windows or Linux

          >Didn't know about the 8 onwards storing a key in the BIOS though, that's definitely useful to know, and frankly amazed that it works!

          Yes, it is great, if you fry your motherboard and get a replacement, it is considered a new computer, please purchase Windows again, thank you very much!

          1. Annihilator

            Re: Clean install Windows or Linux

            "if you fry your motherboard and get a replacement, it is considered a new computer, please purchase Windows again"

            Think that's the case regardless with OEM keys.

            1. Hans 1

              Re: Clean install Windows or Linux

              >Think that's the case regardless with OEM keys.

              NO IT IS NOT.

              You have a laptop with Windows 7 that is dead ? Where I live, I can freely re-use that license on any computer I see fit, even if it is an OEM key. MS know that, so they have put in place an automated "licensing telephone system" where you can re-claim that license for another PC.

              The thing is, this is not legal in all jurisdictions, I doubt it is legal in the US (BASTAAAARDS) it is legal in the EU, though .... Of course, you can only use it on ONE computer, obviously ... guess why broken laptops are picked up near trashcans ?

        2. Roland6 Silver badge

          Re: Clean install Windows or Linux

          I've had Win 7 installations reject the OEM key that came with the PC

          With XP and 7 you need to copy three files off the HDD to a USB and write them over the new versions after doing the clean install. This will preserve the existing activation. Additionally, this method works if you replace the HDD and/or motherboard - although you may have to use the Windows recovery CD to get it to revalidate the activation. So you can preserve the BIOS setting based OEM activation that the majors use.

          The OEM keys supplied with the PC are typically disabled and require you to phone MS to get them to activate correctly, hence why I prefer to do the file copy routine.

        3. Anonymous Coward
          Anonymous Coward

          Re: Clean install Windows or Linux

          After Super Fish and bucket loads of insecure vendorware your only good option is a clean install ...

          Except that Super Fish is loaded by Windows at boot from UEFI via Windows Binary Platform Table (WBPT).

          I've had Win 7 installations reject the OEM key that came with the PC.

          Isn't that nice of them? I recently ran into this situation and had to use a bulk license key I found on the Internet to get past the installer key check and then use the legit key for activation.

          Except that this was a Windows 8 laptop with no COA sticker, so first I had to boot a linux live usb and dump the section of the UEFI that contained the windows key and extract it. Of course I just magically knew to do this, rather than spending hours searching the internet for the specific piece of nonsense that actually worked.

          Thanks, Microsoft. Both for your painful license enforcement mechanisms and for your involvement in the dog excrement on toast that is UEFI (and that's not even considering Secure Boot).

          1. Roland6 Silver badge

            Re: Clean install Windows or Linux

            Except that Super Fish is loaded by Windows at boot from UEFI via Windows Binary Platform Table (WBPT).

            In some respects we should be thankful for Lenovo bundling Superfish and other vendors providing interesting' behind the scenes services through UEFI (see http://forums.theregister.co.uk/forum/containing/2881919 - thanks for the link A.M.). because they have publicly exposed the attack vectors that UEFI, by design, builds into every PC. Hence even doing a clean install doesn't necessarily get rid of some of this stuff, to do that you need to scrub the disk including the boot sectors - that are either invisible or by default excluded from many format and disk imaging programs.

            1. psychonaut

              Re: Clean install Windows or Linux

              you can use rweverything to get the win 8 key from the bios. probably works with 10 too.

              1. Anonymous Coward
                Anonymous Coward

                Re: Clean install Windows or Linux

                you can use rweverything to get the win 8 key from the bios. probably works with 10 too.

                That's a windows exe? It's hard to run those when the OS crashes and burns on boot.

                I'll keep it in mind though, will be handy in most similar situations. Thanks for the tip.

      2. Annihilator

        Re: Clean install Windows or Linux

        "It's worth shrinking down your Windows system partition to the smallest it will go and installing alongside on a new partition. That way when there are missing drivers you can get them from your old Windows partition."

        If you just install it over the old installation, it should move your current copy into windows.old and you can retrieve the drivers that way - worked for me in the past. I just pointed the "add hardware" wizard at C:\windows.old\drivers and it found most of them by itself.

        1. psychonaut

          Re: Clean install Windows or Linux

          just copy c:\windows\system32 , bung in a temp directory on a usb or whatever and point device manager "update driver" at it. that should get everything

      3. Aqua Marina

        Re: Clean install Windows or Linux

        As I recall, it was Lenovo that used some behind the scenes gubbins, to reinstall their crapware, even when you nuked the hard disk, and installed from scratch.

        http://thenextweb.com/insider/2015/08/12/lenovo-used-a-hidden-windows-feature-to-ensure-its-software-could-not-be-deleted/#gref

        1. TeeCee Gold badge

          Re: Clean install Windows or Linux

          Not just them, I've just spent a merry time with a relative's Dell which did exactly the same thing with self-resurrecting shitware.

          Nuking the OEM partition and then sorting out the sulks-rather-than-boots behaviour afterwards did the trick.

          Dell are staying on my shitlist.

  2. djstardust

    Sigh

    Looking for a new high end laptop but I'm struggling.

    Reading real user (not paid site who don't actually use the machine) reviews either they are loaded with crapware full of vulns or Windows 10 is unstable as hell and BSOD's all the time..... or both. The Microsoft certified units don't seem to be the answer either.

    I can't find anything that seems to be available that is actually secure and works out of the box. I thought the Dell XPS15 was the one but the user reviews are simply shocking. How anyone could release a £1000 to £2000 laptop in that state amazes me.

    Is this what Windows has come to?

    P.S. I'm not interested in Apple or Linux. Thanks.

    1. Cave Dweller

      Re: Sigh

      I've had good mileage getting blank laptops from PC Specialist, there's likely a few other good companies for custom builds. Windows works like a charm on machines that haven't been tainted by vendor crapware, and these security issues only make the "start from blank" case stronger.

      1. Zork-1

        Re: Sigh

        My first non self-built PC was from PCS. I switch to D*** PC for my last rig after PCS sent me a "fixed" hard disk of someone else. The "order number" was exactly the same as the PC I ordered so I thought their database was in a right mess - not good for a company.

        I did not check the contents of the HDD as it could have full of infected stuff - like those USB sticks on collars of free roaming cats. Sent it back on freepost after they emailed me saying that they had made a mistake.

    2. Nate Amsden

      Re: Sigh

      my real user review of the Lenovo P50 is it works ok(about $3600 loaded up including 3 aftermarket Samsung SSDs and 4 year on site support). 98% of the time in Linux(with a windows 7 VM for some work things), 2% of the time in Windows 7(bare metal).

      I think if you don't want the crapware you most likely have to pick a small OEM that installs vanilla software. For me it was more important to have on site support so I wanted a big name vendor. Previous laptop was toshiba (bought in 2010), worked fine though support was a year expired and I didn't want to risk my primary work machine being without support anymore.

      Vulnerabilities like MITM to me are such a low threat level for most users it's just a knee jerk reaction by people a lot of times. Most technical folks will practice relative safe computing habits(I don't recall being infected with a virus or malware since roughly 1992), and hopefully not using (m)any public wifi access points to reduce attack vectors.

      Less technical folks are likely to be compromised 100 different ways before anyone does a MITM attack against them.

      I remember my grandfather before he died was apparently addicted to granny porn. He bought a Dell computer, would go to the porn sites, get infected, then after a few weeks or whatever the computer became mostly unusable, he would call up Dell, they would remotely reinstall the system, and he would go at it again(this was about 8 years ago maybe).

      Windows 7 OEM end of sale date is coming up pretty quick (end of Oct 2016), and even now it can be difficult to find systems that will ship with it. MS has worked with big players like Intel to ensure lack of compatibility going forward with older Windows systems on new hardware, my company's PC supplier told me some horror stories about their customers rushing to stock pile compatible equipment before the hardware is no longer available(sometimes literally selling out while they had them on the phone).

  3. Charles Spalton 1
    FAIL

    Uhh...

    Do any of the affected machines automatically reinstall this cr*pware out of the BIOS? If so, what do Lenovo actually expect me to do?

    1. phuzz Silver badge
      Headmaster

      Re: Uhh...

      Pretty much ever computer now uses UEFI so there's no BIOS in the traditional sense, so no.

      Also, AFAIK, no manufacturer has ever tried to store programs in either BIOS or EFI, so, still no.

      I suspect you mean the recovery partition which is on the harddrive/SSD, and yes, that recovery image probably contains at least some of the crapware, but as other have pointed out, if you do a clean install you won't have that problem, and no, it can't automatically install software from the recovery partition.

      1. Paul Crawford Silver badge

        Re: "no manufacturer has ever tried to store programs in either BIOS"

        Think again:

        http://www.theregister.co.uk/2015/08/12/lenovo_firmware_nasty/

        Of course there is the WTF? question over Windows supporting this sort of 'feature' in the first place.

        1. Annihilator

          Re: "no manufacturer has ever tried to store programs in either BIOS"

          "Of course there is the WTF? question over Windows supporting this sort of 'feature' in the first place."

          IBM/Lenovo have had "anti-theft" software on their laptops for at least a decade that I know of. It works by checking the primary boot drive for a certain files in the windows directory, and modifies the boot files to launch it.

          Technically, yes,it's exploiting a windows feature to make it easier, but it could just as easily inject it onto the HDD in the appropriate places and Windows would be none the wiser. Hardware level access to the boot drive, which a BIOS has, = all bets are off!

      2. Justicesays

        Re: Uhh...

        @phuzz

        Unfortunately , lenovo have been caught doing (almost) exactly this.

        http://www.theregister.co.uk/2015/08/12/lenovo_firmware_nasty/

        Edit: ninja'd by Paul Crawford

  4. David Knapman

    What gets me down is that, I practically guarantee that today, or next week, or next month, someone will sit down and write the next great "value added" application to be pre-installed for one of these vendors - and make exactly the same mistakes yet again.

    There doesn't seem to be any learning here.

    1. Dadmin

      And there never will be. The crapware is from marketing people, not people who love technology and want you to have a great experience on a system they lovingly designed. It's due to the "lowest price wins" methodology that most people use to purchase tech gear; if it's cheap, it must be better. Buggery buggery bullocks! You get what you pay for most of the time, and sometimes you can get an inside deal and make out like a bandit, but mostly people are getting ripped off and while they're at it getting bombarded with more adverts disguised as applications. When you're scraping the bottom of the barrel for cheap tech solutions, expect there to be tons of crapware for you to wade through because SOMEONE is getting paid for those "appverts" and it's not you. (hint, it's the vendor you chose) So, enjoy your crapware, good people. You have to deal with it, because you are going on the cheap. It's the subsidy for your low-end kit. Without it, you'd be paying more and asking why.

  5. Paul Woodhouse

    If at first you FAIL

    FAIL, FAIL and FAIL again...

    well done Lenovo, staying with the trend here...

  6. Christopher Reeve's Horse
    Terminator

    Possibilities...

    Would it really be beyond the ability of Windows Update (or perhaps security essentials) to let users know they've got compromised software installed? It's getting too difficult to keep up.

    1. Anonymous Coward
      Anonymous Coward

      Re: Possibilities...

      Given that the purpose of this crapware was apparently to notify users of application updates, perhaps Lenovo could have just produced an updated version of their own app that would simply cause it to vanish up it's own arsehole when downloaded! Maybe after displaying a sincere apology to the user for having installed this junk on their machine in the first place.

  7. jerryboam

    Always start from scratch!

    Hi,

    My second post this year, I am becoming addicted to this site.

    I am a virus hunter and remove viruses from users PC's literally all day long (correct use of the word!).

    I have thousands of customers and most will bring me any new laptop unopened to reinstall from scratch, It takes about 2 hours and then a half hour talk about what they should and shouldn't do with it.

    I have never had one of these laptops back with a problem but anyone who stays with the OEM version I usually make my money when they inevitably get infected.

    I also do public speaking about computers et al and it is incredible what (usually aged) think about computers etc. Most believe that when their PC gets slow and chuggy with PUPs and viruses it is worn out and is time to buy a new one. I have lost count of how many PC I have saved from being binned by the owner.

    Finally, I think Windows 10 is fine for the average user and when I have upgraded a user from 7 or 8 they need a 5 minute tour around the new OS and away they go. I never get calls asking where is this or that they seem to just find everything. So all the Windows 10 haters lurking on this site can carry on with Linux (OK but the GUI is crap) and shut up about Windows 10.

    Cue the haters ...

    1. Anonymous Coward
      Anonymous Coward

      Re: Always start from scratch!

      "Most believe that when their PC gets slow and chuggy with PUPs and viruses it is worn out and is time to buy a new one."

      If there is one thing that life has taught me, it is to do everything carefully. Do thorough research before using or buying anything new (this applies to all things in life not just software / programs).

      Here's a revolutionary idea for much of the planet's population - make an informed and considered decision rather than just blindly trusting the lying ignorant w@nk3r5 in advertising!

      Am I naive to think that if we could all do this in our day to day life that the world would be on it's way towards being a better and happier place to exist?

      The fact that most in advertising / marketing as well as politicians would also be redundant is just an added bonus!

      1. The Boojum

        Re: Always start from scratch!

        Have many, many upvotes for your last two paragraphs. Of course marketing people wouldn't be happier - being otherwise unemployable they'd be out of a job - but that's just an added bonus.

        I see marketing people as the foot troops in the Devil's army attempting to destroy civilization </hyperbole>. They are the ones who engineered the cultural change from 'conserve, make do and mend' to the growth-at-any-cost 'consume, consume, consume, and when a newer thing comes out throw the older thing away and consume some more' culture.

    2. Paul Crawford Silver badge

      Re: Always start from scratch!

      Most of what you say is perfectly sensible.

      However, the "they need a 5 minute tour around the new OS and away they go" is really misleading. You could say exactly the same for switching to Linux if you have no special software, and it is also true.

      What gets peoples goat on this site in relation to Microsoft is (A) the malware-like foisting of windows 10 on end users, and (B) the fact this often breaks established software or work-flows, meaning time and sometimes money wasted spent of getting specialised stuff working again, or XYZ's computer-illiterate relative able to send and email once more as they can't grasp where the button/menu/icon has been moved to.

  8. Captain Badmouth
    Windows

    winx hater

    Hi jerryboam,

    Give us your opinion on the forced winx installations, then. You seem to have missed that bit.

  9. oneeye

    Funny how Chinese products keep ending up with backdoors!

    LG has a constant problem with similar vulns, and Baidu browsers recently found with tons of problems and their SDKs for nearly 500 apps were in trouble too. Then, don't get me started on all the smart phones that come with pre-loaded malware which the OEMs blame the supply chain or rather distribution for. I find it all rather hard to believe that these Chinese software developers are such incompetent developers, and yes, I know all software have bugs, but they all are not of the kind that lead to backdoored compromises. I really need to put together a list.

    1. Notas Badoff

      Re: Funny how Chinese products keep ending up with backdoors!

      " I find it all rather hard to believe that these Chinese software developers are such incompetent developers,..."

      Chinese, French, Mauritanian, Indian, c'mon, *all* new eager developers with stars in their eyes and with no supervision crank out holey hell. Consider the recency of the software industry in China and the naiveté is more understandable (not defensible).

      Now if you want to rail against the equally young and obviously reckless software/hardware companies there, go for it. All this can so easily be explained - and should've been expected - by the previous reckless history of the software industry in <insert your country>.

      Hanlon's razor - it's the comforting (!) explanation when you worry about Baba Yaga stealing your toes.

  10. Wolfclaw

    Is all the bad press and stigmatism associated iwth a brand that has secuirty flaws in it's own software used to flesh out the supposed Value Added features to hardware, when most users consider it unneccessary bloatware ? Give us a bare machine with drivers, less cost to manufacturer and reduced prices to punters, win win to all except, Microsoft as no taxes paid to them !

  11. Captain Badmouth
    FAIL

    A marriage made in hell

    Win10 and Legovo OEM crapware.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like