PC maker Lenovo is advising its customers to remove bundled software from its laptops and desktops due to its potential to be used for remote code execution.
The software is the Lenovo Accelerator Application. The company warned that an attacker with man in the middle position on a network could exploit the vulnerable update mechanism, and run arbitrary code on users' systems. The vulnerability is rated as high risk by Lenovo.
To protect against the vulnerability, Lenovo said users should uninstall the Accelerator Application, which is bundled on a large number of the company's retail notebooks and desktop computers.
The Lenovo Accelerator Application is not installed on the business-grade ThinkPad and ThinkStation computers.
Earlier this week, security vendor Duo Research released a report that highlighted the poor state of security for applications bundled by vendors on their computers.
Duo Research said Lenovo's UpdateAgent, which is used for the Application Accelerator, "was one of the worst updaters we looked at, providing no security features whatsoever".
UpdateAgent pings a Lenovo server every ten minutes for updates, with the entire data exchange in plain text over HTTP. An attacker could easily impersonate the Lenovo update server, and deliver malware on users' computers as UpdateAgent makes no effort to validate patches that are downloaded and executed on systems.