Lenovo caught installing bloatware again with Windows BIOS backdoor
Lenovo has backtracked over the use a little known Windows BIOS trick that installs persistent software on the firm's systems without the consent of the user, even if they wiped their entire operating system to try and remove it.
The company has released patches to remove the software from a raft of its devices as the feature left systems open to attack and was "not consistent" with new guidelines put forward by Microsoft.
The tool in question was called Lenovo Search Engine (LSE) and it downloaded a program called One Key Optimiser used for "enhancing PC performance by updating firmware, drivers and pre-installed apps".
It took advantage of a feature in Windows called Windows Platform Binary Table (WPBT) that is intended to ensure "critical software" crucial to running Windows remains in place, even after the operating system has been wiped.
However, Lenovo was using this to ensure its own software would also install on the device, even if the user tried to remove it.
The BIOS of the computer was set to check the System32 boot up file on specific Lenovo systems. If only Microsoft files are present, the system overrides them to include specific manufacturer software.
Two files, LenovoUpdate.exe and LenovoCheck.exe, were then set up to download automatically as soon as the device is connected to the internet.
However, the set-up sends system data automatically to Lenovo by default and found to be vulnerable to attack by hackers. Lenovo said it was first warned of the issue by security researcher Roel Schouwenberg around April-May and it verified the flaws with Microsoft.
"Lenovo and Microsoft have discovered possible ways this program could be exploited in the Lenovo Notebook implementation by an attacker, including a buffer overflow attack and an attempted connection to a Lenovo test server," it added.
As a result Lenovo has now issued two security advisories to remove the software. The update for its affected desktop machines is listed as ‘low' severity but the Lenovo notebook security fixes is marked as ‘high' severity owing to a further vulnerability that could be used by an attacker to escalate system privileges.
Affected machines include the Yoga 3, Flex 2, Pro 15 and V3000 notebooks and the H, C and Horizon desktop ranges. However, its ThinkPad range is not affected.
Lenovo's urged users to install the updates as quickly as possible.
"[LSE] is no longer being installed on Lenovo systems. It is strongly recommended that customers update their systems with the new BIOS firmware which disables and/or removes this feature," the firm said.
Lenovo came under fire earlier this year for releasing hardware with a form of adware pre-installed called Superfish.
Lenovo has moved to calm concerns that it compromised laptop customers' privacy using the notorious Superfish adware.
The claims erupted on the Lenovo forum where a multitude of customers reported finding Superfish installed on their machines.
Superfish is adware that collects data such as web traffic information using fake, self-signed root certificates and then uses it to push advertisements to the user.
Lenovo's chief technology officer promised in February that the company would stop production of any adware-infected products.
Lenovo CTO Peter Hortensius has now promised that Lenovo will never ship Superfish again preloaded, and that it is working with partners and experts to reduce the inclusion of other 'bloatware' in its laptops.
"We stopped the preloads and will not include this Superfish software in any devices in the future," he wrote.
"We are in the midst of developing a concrete plan to address software vulnerabilities and security with defined actions that we will share by the end of the week."
He said this will include "creating a cleaner PC image" and working with customers and privacy/security experts to "create the right preload strategy".
The comments come a day after Lenovo confirmed that it had teamed up with Microsoft and McAfee to remove the Superfish adware following concerns about security.
The company has released patches to remove the software from a raft of its devices as the feature left systems open to attack and was "not consistent" with new guidelines put forward by Microsoft.
The tool in question was called Lenovo Search Engine (LSE) and it downloaded a program called One Key Optimiser used for "enhancing PC performance by updating firmware, drivers and pre-installed apps".
It took advantage of a feature in Windows called Windows Platform Binary Table (WPBT) that is intended to ensure "critical software" crucial to running Windows remains in place, even after the operating system has been wiped.
However, Lenovo was using this to ensure its own software would also install on the device, even if the user tried to remove it.
The BIOS of the computer was set to check the System32 boot up file on specific Lenovo systems. If only Microsoft files are present, the system overrides them to include specific manufacturer software.
Two files, LenovoUpdate.exe and LenovoCheck.exe, were then set up to download automatically as soon as the device is connected to the internet.
However, the set-up sends system data automatically to Lenovo by default and found to be vulnerable to attack by hackers. Lenovo said it was first warned of the issue by security researcher Roel Schouwenberg around April-May and it verified the flaws with Microsoft.
"Lenovo and Microsoft have discovered possible ways this program could be exploited in the Lenovo Notebook implementation by an attacker, including a buffer overflow attack and an attempted connection to a Lenovo test server," it added.
As a result Lenovo has now issued two security advisories to remove the software. The update for its affected desktop machines is listed as ‘low' severity but the Lenovo notebook security fixes is marked as ‘high' severity owing to a further vulnerability that could be used by an attacker to escalate system privileges.
Affected machines include the Yoga 3, Flex 2, Pro 15 and V3000 notebooks and the H, C and Horizon desktop ranges. However, its ThinkPad range is not affected.
Lenovo's urged users to install the updates as quickly as possible.
"[LSE] is no longer being installed on Lenovo systems. It is strongly recommended that customers update their systems with the new BIOS firmware which disables and/or removes this feature," the firm said.
Lenovo came under fire earlier this year for releasing hardware with a form of adware pre-installed called Superfish.
Lenovo has moved to calm concerns that it compromised laptop customers' privacy using the notorious Superfish adware.
The claims erupted on the Lenovo forum where a multitude of customers reported finding Superfish installed on their machines.
Superfish is adware that collects data such as web traffic information using fake, self-signed root certificates and then uses it to push advertisements to the user.
Lenovo's chief technology officer promised in February that the company would stop production of any adware-infected products.
Lenovo CTO Peter Hortensius has now promised that Lenovo will never ship Superfish again preloaded, and that it is working with partners and experts to reduce the inclusion of other 'bloatware' in its laptops.
"We stopped the preloads and will not include this Superfish software in any devices in the future," he wrote.
"We are in the midst of developing a concrete plan to address software vulnerabilities and security with defined actions that we will share by the end of the week."
He said this will include "creating a cleaner PC image" and working with customers and privacy/security experts to "create the right preload strategy".
The comments come a day after Lenovo confirmed that it had teamed up with Microsoft and McAfee to remove the Superfish adware following concerns about security.
No comments
Post a Comment