Latest in Bloatware

Image credit:

Lenovo PCs installed custom software even if you wiped them (updated)

Jon Fingas, @jonfingas
August 12, 2015
Share
Tweet
Share

Sponsored Links

Samsung isn't the only Windows PC maker to have hijacked Windows' update process as of late. Users have noticed that some Lenovo PCs running Windows 7 and 8 (such as the Yoga 3) had firmware that automatically downloaded and installed Lenovo's own update software on boot, overwriting a Windows system file at the same time. More disconcertingly, this was true even if you wiped the system clean. So long as you were reinstalling a compatible version of Windows in the first place (including Windows 10), those Lenovo apps would inevitably return.

The only reason it's not an ongoing issue is that Lenovo just recently released an optional patch that removes the offending code. Why? As you might have guessed, forcing a PC to download programs on boot introduces a massive security risk -- attackers can spoof the server and install malware whenever you restart your computer. That's more than a little disconcerting, especially if you thought that Lenovo had already removed vulnerable software from your system.

Lenovo was technically in the clear. It was taking advantage of a little-known feature, the Windows Platform Binary Table, to insert the code. However, Lenovo's approach was largely unadvertised to users and "not consistent" with Microsoft's current security guidelines. You might not have known that Lenovo was loading this software in the first place, let alone that it created a security hole. While it's good to know that there's a fix, the discovery underscores the problems with letting PC vendors override core Windows functions -- in at least some cases, they're creating more problems than they solve.

Update: Lenovo has since released a statement, and notes that all systems made in June onwards have BIOS firmware that eliminates the vulnerability, and it's no longer installing Lenovo Service Engine (the problematic software) on PCs. If you have any Think-branded computers, they're already LSE-free.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
Tweet
Share

Popular on Engadget

Chevy will start selling EV retrofit kits in 2021

Chevy will start selling EV retrofit kits in 2021

View
Apple program will replace AirPods Pro buds with crackling, ANC issues

Apple program will replace AirPods Pro buds with crackling, ANC issues

View
Roborace engineer explains why a driverless racecar drove into a wall

Roborace engineer explains why a driverless racecar drove into a wall

View
SSC NA promises a re-run of the Tuatara's top speed record attempt

SSC NA promises a re-run of the Tuatara's top speed record attempt

View
$149 Playdate handheld is 'ready to go,' orders start in early 2021

$149 Playdate handheld is 'ready to go,' orders start in early 2021

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr