Latest in Bloatware

Image credit:

Lenovo PCs installed custom software even if you wiped them (updated)

56 Shares
Share
Tweet
Share

Sponsored Links

Samsung isn't the only Windows PC maker to have hijacked Windows' update process as of late. Users have noticed that some Lenovo PCs running Windows 7 and 8 (such as the Yoga 3) had firmware that automatically downloaded and installed Lenovo's own update software on boot, overwriting a Windows system file at the same time. More disconcertingly, this was true even if you wiped the system clean. So long as you were reinstalling a compatible version of Windows in the first place (including Windows 10), those Lenovo apps would inevitably return.

The only reason it's not an ongoing issue is that Lenovo just recently released an optional patch that removes the offending code. Why? As you might have guessed, forcing a PC to download programs on boot introduces a massive security risk -- attackers can spoof the server and install malware whenever you restart your computer. That's more than a little disconcerting, especially if you thought that Lenovo had already removed vulnerable software from your system.

Lenovo was technically in the clear. It was taking advantage of a little-known feature, the Windows Platform Binary Table, to insert the code. However, Lenovo's approach was largely unadvertised to users and "not consistent" with Microsoft's current security guidelines. You might not have known that Lenovo was loading this software in the first place, let alone that it created a security hole. While it's good to know that there's a fix, the discovery underscores the problems with letting PC vendors override core Windows functions -- in at least some cases, they're creating more problems than they solve.

Update: Lenovo has since released a statement, and notes that all systems made in June onwards have BIOS firmware that eliminates the vulnerability, and it's no longer installing Lenovo Service Engine (the problematic software) on PCs. If you have any Think-branded computers, they're already LSE-free.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
56 Shares
Share
Tweet
Share

Popular on Engadget

Google Duplex begins international rollout with a New Zealand pilot

Google Duplex begins international rollout with a New Zealand pilot

View
The Morning After: A final trailer for 'Star Wars: The Rise of Skywalker'

The Morning After: A final trailer for 'Star Wars: The Rise of Skywalker'

View
Todoist 'Foundations' update adds a host of organization features

Todoist 'Foundations' update adds a host of organization features

View
Microsoft's latest VR experiment is a literal walk in the park

Microsoft's latest VR experiment is a literal walk in the park

View
Lilium proves its electric air taxi can fly

Lilium proves its electric air taxi can fly

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr