Lenovo Caught Installing Immortal Crapware
Lenovo has again been caught playing fast and loose with customers’ privacy and security. First, it was Superfish. Now, it's vulnerable crapware that won't go away, even if you reformat or replace your hard drive. Read on for the full story...
Lenovo Strikes (out) Again
In February of this year, I described how computer maker Lenovo was shipping laptops with adware that puts all of your Web browsing sessions at risk of hacking. Just as the furor over Superfish died down, Lenovo has been caught doing something even more egregious.
In 2011, Microsoft added a feature to Windows called Windows Platform Binary Table (WPBT). It allows computer vendors like Lenovo to store software in a PC’s firmware and inject it into the Windows system files upon startup. Such software is practically undetectable and “immortal.”
Reformatting or even replacing a hard drive will have no effect on software stored in firmware. In addition, software stored in firmware cannot be detected by ordinary anti-malware programs.
That's because firmware resides on a chip on the computer's motherboard, and not the hard drive. It cannot be erased without flashing the firmware ROM, an operation normally done only to update the system BIOS.
WPBT is intended to make computers more secure. Computer makers have the ability to embed security and license-verification software in firmware, where it cannot be erased by a virus or software pirate. But Lenovo went a step further than Microsoft intended.
Resistance is Futile
The Lenovo Service Engine (LSE) utility, which is built on the WPBT platform, was embedded in the firmware of desktops and laptops manufactured between October 23, 2014, and April 10, 2015. LSE behaves differently on Lenovo laptops than it does on desktops.
Upon startup of a laptop, LSE copies two files to the Windows\system32 folder if they don’t already exist. These files, LenovoUpdate.exe and LenovoCheck.exe, connect to the Internet upon system startup to download drivers, a “system optimization” utility, and whatever else Lenovo wants to plant on your machine.
There’s nothing you can do to stop these installations, and if you remove the unwanted files, they reappear the next time you restart your laptop.
LSE also gathers some information about the machine that Windows is installed on, including its unique identifying number, and sends that data to Lenovo. This sneaky data collection executes only the first time a machine connects to the Internet, and contains nothing about the user. But it’s still sneaky, and high-handed because it cannot be stopped by the owner of the machine. This operation occurs on both laptops and desktops.
LSE does not install additional software on desktops. Only the data collection function happens there. But laptops are definitely vulnerable to this “immortal” Lenovo crapware.
Adding Injury to Insult
Making matters worse, a buffer-overflow vulnerability in LSE was recently discovered by security researcher Roel Schouwenberg, who worked for Kaspersky Labs until February, 2015. This flaw allows an attacker to gain administrator-level privileges on any computer that bears LSE, desktop or laptop.
There is no excuse for buffer-overflow flaws existing in any modern software. This class of software flaws is one of the oldest and most obvious vulnerabilities, one of the first things for which hackers and security researchers check. Lenovo should have tested for buffer-overflow flaws before releasing LSE. Not doing so is as negligent as shipping cars with loose tire lug nuts.
Not all Lenovo products have the LSE vulnerability. In particular, “Think” branded Lenovo products do not bear LSE. A list of all affected desktop and laptop models can be perused here.
Lenovo very quietly discontinued LSE in April, and released two utilities that will uninstall LSE from machines that bear it. But as far as I can tell, it was not automatically pushed out to customers. So it's up to you to apply the fix. The procedure for Lenovo laptops is described here. The fix for Lenovo desktops can be downloaded here.
Microsoft reportedly censured Lenovo for failing to adhere to Microsoft’s guidelines regarding apps developed using WPBT. Microsoft has tightened those requirements and decertified LSE. WPBT has legitimate uses, but poisoning firmware with hackable “immortal” crapware is not one of them.
I don't think there was any malicious intent here on Lenovo's part. But they were inexcusably sloppy. Can Lenovo be trusted again? Your thoughts on this topic are welcome. Post your comment or question below...
This article was posted by Bob Rankin on 21 Aug 2015
|For Fun: Buy Bob a Snickers.|
Microsoft Edge Needs Sharpening
The Top Twenty
Should You Get a Laplet?
There's more reader feedback... See all 53 comments for this article.
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005
- Bob Rankin - All Rights Reserved
Article information: AskBobRankin -- Lenovo Caught Installing Immortal Crapware (Posted: 21 Aug 2015)
Copyright © 2005 - Bob Rankin - All Rights Reserved