Lenovo Busted For Stealthily Putting in Crapware By way of BIOS On Contemporary Home windows Installs


from the not-learning-any-lessons dept

It seems like Lenovo could not have realized a lot from February’s Superfish shenanigans. In case you recall, Lenovo was busted for stealthily putting in adware on shopper laptops. Worse, the Superfish adware in query opened up all Lenovo clients to man-in-the-middle assaults by faking the encryption certificates for each HTTPS-protected web site clients visited. When pressed, Lenovo idiotically denied there was any safety risk launched by faking encryption certs solely for the sake of pushing advertisements.

Lenovo’s now underneath fireplace this week for reinstalling the corporate’s bloatware on Lenovo laptops, even when clients have accomplished a contemporary set up of Home windows. First observed by an Ars Technica discussion board common and confirmed by readers at Hacker Information, in addition to customers over at Reddit, Lenovo seems to be hiding its crapware set up within the laptop computer BIOS, so it will get put in even after contemporary Home windows installs:

“I had this occur to me a couple of weeks in the past, on a brand new Lenovo laptop computer, doing a clear set up with a brand new SSD, Win 8 DVD + wifi turned off. I couldn’t perceive how a Lenovo service was put in and working! Delete the file and it reappears on reboot. I’ve by no means seen something like this earlier than.
One thing to consider earlier than shopping for Lenovo. I searched and located nearly nothing about this, so it might be one thing they began doing in the previous couple of months.

Apparently, Lenovo’s utilizing a Home windows operate known as Microsoft Home windows Platform Binary Desk (WPBT), initially designed to assist simplify the set up of proprietary drivers and anti-theft software program (clearly since any good thief would do a clear set up comparatively shortly after theft). Besides on this case, Lenovo’s utilizing it as a technique to pressure the laptop computer to telephone house to Lenovo servers so adware might be put in.

Principally, earlier than booting Home windows, the Lenovo Service Engine (LSE) constructed into the laptop computer’s firmware replaces Microsoft’s copy of autochk.exe with Lenovo’s model. Lenovo’s model then ensures that LenovoUpdate.exe and LenovoCheck.exe are current in Home windows’ system32 listing, with full administrative rights. Lo and behold, you then get Lenovo crapware — and a machine that telephones house to Lenovo servers — even if you happen to suppose you’ve prevented such practices through what you incorrectly assumed was a really clear OS set up.

You’ll be shocked to study that this observe isn’t notably safe. Again in April, Safety researcher Roel Schouwenberg discovered and reported {that a} buffer-overflow vulnerability within the LSE (to not point out insecure community transmission) may simply be exploited by hackers. As soon as Lenovo realized of the safety threat, and certain acquired a wrist slap from Redmond for working afoul of Microsoft’s safety requirements relating to WBPT, Lenovo very quietly backed away from the observe final June, then launched instruments for laptops and desktops to assist within the elimination of the LSE.

Clearly, since customers are solely simply in August realizing this downside exists, Lenovo did an exquisite job speaking the difficulty to its clients. Lenovo now says that any pc bought since June mustn’t embrace this stealth crapware set up mechanism, however in some way it nonetheless thought it was a fantastic thought to make use of this know-how from between October 2014 and April of this yr. Whereas Microsoft’s WPBT could also be well-intentioned, it’s additionally arduous to see the way it couldn’t foresee the potential pitfalls of letting third events use the BIOS to inject further software program right into a contemporary set up (no matter no matter “tips” they’ve belatedly hooked up).

In the meantime, on the heels of the Superfish scandal, it’s turning into fairly clear that clients who need precise management of the {hardware} they personal would possibly simply need to avoid Lenovo till the corporate wises up.

Filed Below: adware, bios, crapware, contemporary set up, malware, reinstall, thinkpads, home windows

Corporations: lenovo


Supply hyperlink