UPDATED 4 pm ET June 3 with comment from Lenovo.
Lenovo PC users: It's time to fire up Add or Remove Programs. The company just put out an advisory warning to remove Lenovo Accelerator, a utility preinstalled on 115 different models of its Windows 10 desktops and notebooks that leaves users vulnerable to attack.
According to Lenovo, Accelerator "is used to speed up the launch of Lenovo applications," but leaves users vulnerable to a man-in-the-middle attack. Man-in-the-middle attacks work on network transmissions sent without encryption, typically over a public Wi-Fi network or when a user accesses an unsecured website.
This warning was published on Tuesday (May 31), and came in the immediate aftermath of a report that denounced the evils of laptop bloatware from Ann Arbor, Michigan-based Duo Security. Keeping Lenovo's Accelerator installed would likely allow malcontents to spy on your activity, as well as steal account IDs and passwords.
To see if your machine is affected, check out Lenovo's full list of machines that have Accelerator preloaded. Lenovo's advisory mentions only Windows 10, and it's not clear whether this vulnerability also affects Lenovo computers that shipped with Windows 7 or Windows 8/8.1.
The bloatware report from Duo focused on manufacturer updater applications such Lenovo's UpdateAgent. In its advisory, Lenovo did not specify whether UpdateAgent was involved, but noted that Accelerator's vulnerability "resides within" the program's "update mechanism where a Lenovo server is queried to identify if application updates are available."
Of the manufacturers that Duo criticized for software updaters that create security vulnerabilities, only Lenovo and Dell have publicly taken steps to ameliorate the situation. HP, Asus and Acer have stayed silent, although HP's own updaters were relatively well protected.
Duo's advice for saving computers from bloatware is as complete as it is drastic. You can remove all that bloatware by wiping your hard drive, including any hidden partitions created by the manufacturer, and re-installing Windows from scratch.
To perform this task on a Windows 10 machine, you'll need to create an installation thumb drive (you can make your own here). Don't worry about looking for the activation key on a sticker affixed to your machine -- if the computer arrived with Windows 10 already installed, you can reinstall indefinitely without the key.
We've asked Lenovo for a comment regarding the vulnerability, and if Windows 7 or 8.1 users are affected, and will update this story if and when we receive a response.
UPDATE: In a statement to LaptopMag issued today (June 3), Lenovo said, "Security researchers at Duo Security recently notified Lenovo of a vulnerability in the Lenovo Accelerator Application software that could lead to exploitation by an attacker with man-in-the-middle capabilities. The vulnerability resides within the update mechanism."
- Best Antivirus Protection for PC, Mac and Android
- Your Router's Security Stinks: Here's How to Fix It
- Top 10 Malware Myths and Facts