The company warned that an attacker with man in the middle position on a network could exploit the vulnerable update mechanism, and run arbitrary code on users’ systems. The vulnerability is rated as high risk by Lenovo. How the application works, an UpdateAgent pings a Lenovo server every ten minutes for updates, with the entire data exchange in plain text over HTTP. An attacker could easily impersonate the Lenovo update server, and deliver malware on users’ computers as UpdateAgent makes no effort to validate patches that are downloaded and executed on systems.
The full list of impacted devices is vast but include the Lenovo Notebook 305, Edge 15, Flex 2 Pro and Yoga product lines. In addition, Lenovo’s IdeaCenter and Yoga Home 500 are amongst the 39 desktop models impacted by the security flaw. You can read the full list here.
Lenovo ThinkPad and ThinkStation devices are not affected by this security issue.
The Chinese PC maker recommends that users immediately uninstall the software. You can do so by going to the ‘Apps and Features’ application in Windows 10, selecting the Lenovo Accelerator Application and clicking on “Uninstall.”
For our clients who enjoy our Proactive Managed IT Support services, we have identified if you have any of the Lenovo models affected and remotely uninstalled the Lenovo Accelerator Application.