Lenovo PCs installed custom software even if you wiped them (updated)

Samsung isn't the only Windows PC maker to have hijacked Windows' update process as of late. Users have noticed that some Lenovo PCs running Windows 7 and 8 (such as the Yoga 3) had firmware that automatically downloaded and installed Lenovo's own update software on boot, overwriting a Windows system file at the same time. More disconcertingly, this was true even if you wiped the system clean. So long as you were reinstalling a compatible version of Windows in the first place (including Windows 10), those Lenovo apps would inevitably return.

The only reason it's not an ongoing issue is that Lenovo just recently released an optional patch that removes the offending code. Why? As you might have guessed, forcing a PC to download programs on boot introduces a massive security risk -- attackers can spoof the server and install malware whenever you restart your computer. That's more than a little disconcerting, especially if you thought that Lenovo had already removed vulnerable software from your system.

Lenovo was technically in the clear. It was taking advantage of a little-known feature, the Windows Platform Binary Table, to insert the code. However, Lenovo's approach was largely unadvertised to users and "not consistent" with Microsoft's current security guidelines. You might not have known that Lenovo was loading this software in the first place, let alone that it created a security hole. While it's good to know that there's a fix, the discovery underscores the problems with letting PC vendors override core Windows functions -- in at least some cases, they're creating more problems than they solve.

Update: Lenovo has since released a statement, and notes that all systems made in June onwards have BIOS firmware that eliminates the vulnerability, and it's no longer installing Lenovo Service Engine (the problematic software) on PCs. If you have any Think-branded computers, they're already LSE-free.