Lenovo crams unremovable malware into Windows laptops – by hiding it in the BIOS

[Deleted]

Source: http://www.theregister.co.uk/2015/08...irmware_nasty/

Lenovo has sold laptops bundled with unremovable software that features a bonus exploitable security vulnerability.

If the crapware is deleted, or the hard drive wiped and Windows reinstalled from scratch, the laptop's firmware will quietly and automatically reinstall Lenovo's software on the next boot-up.

Built into the firmware on the laptops' motherboard is a piece of code called the Lenovo Service Engine (LSE). If Windows is installed, the LSE is executed before the Microsoft operating system is launched.
...
LenovoCheck and LenovoUpdate are executed on startup with full administrator access. Automatically, and rather rudely, they connect to the internet to download and install drivers, a system "optimizer", and whatever else Lenovo wants on your computer. Lenovo's software also phones home to the Chinese giant details of the running system.

To pull this off, the LSE exploits Microsoft's Windows Platform Binary Table (WPBT) feature. This allows PC manufacturers and corporate IT to inject drivers, programs and other files into the Windows operating system from the motherboard firmware.

The WPBT is stored in the firmware, and tells Windows where in memory it can find an executable called a platform binary to run. Said executable will take care of the job of installing files before the operating system starts.
...
security researcher Roel Schouwenberg found and reported a buffer-overflow vulnerability in the LSE that can be exploited to gain administrator-level privileges.
...
After Lenovo learned of this bug in April, it dawned on the company that its LSE was falling foul of Microsoft's security guidelines for using the powerful WPBT feature. Two months later, in June, it pulled the whole thing: the LSE software is no longer included in new laptops.

Lenovo has also pulled the LSE from new desktop machines. Incredibly, Lenovo was shipping desktop PCs that feature the LSE in their firmware. These models phone home system data, but do not install any extra software, and do not suffer from the aforementioned privilege-escalation vulnerability. The PC maker's laptops definitely do, however.
...
A tool quietly released on July 31 will uninstall the engine if it is present in your machine: it is available here for notebooks, and available here for desktops.

On Tuesday this week, Lenovo published a full list of affected desktop and notebook models. Desktop machines built between October 23, 2014 and April 10, 2015, with Windows 8 preinstalled, have the LSE inside them.

Think-branded PCs did not include the LSE, we're told.
...
Suffice to say, netizens who have discovered this creepy code on their machines are not happy.

"I had this happen to me a few weeks ago, on a new Lenovo laptop, doing a clean install with a new SSD, Windows 8 DVD and Wi-Fi turned off," a Hacker News user called chuckup said on Tuesday, on noticing Lenovo's bundleware suddenly appearing on his or her new computer.

"I couldn't understand how a Lenovo service was installed and running. Delete the file and it reappears on reboot. I've never seen anything like this before. Something to think about before buying Lenovo."

What is worrying is that all of this is pretty much what Microsoft intended. Its WPBT is engineered to allow manufacturers to painlessly inject drivers and programs into the operating system. It's supposed to be used for things like anti-theft tools, so a system can be disabled via the internet if it's stolen.
....
"Richard Stallman is sounding less and less crazy with discoveries like this," noted another Hacker News poster, referring to the Free Software Foundation supremo who has warned for decades that we're losing control of our computers.

"To think a manufacturer would essentially rootkit their own machines is testament to how bad things have become."

This comes on the back of Lenovo's Superfish scandal, in which the PC maker shipped laptops with adware on them that opened up people to man-in-the-middle eavesdropping. Miscreants could exploit the bundled crapware to snoop on victims' encrypted connections to websites.

We've asked Microsoft to explain the thinking behind its WPBT feature. The Redmond giant was not available for immediate comment.

Note. Microsoft's WPBT feature which was introduced with Windows 8.

[Kujako]

Lenovo notebooks have had this feature for years. Long before Windows 8 you could order one with a low-jack program that would auto install out of the BIOS.

[Deleted]

bloatware and malware are not the same thing.

http://betanews.com/2015/08/13/lenov...ding-crapware/

[Independent voter]

I thought Lenovo had got in trouble over this and the Internet outcry was so bad they removed it? This was like a few months ago?

[Aldred]

I thought Lenovo had got in trouble over this and the Internet outcry was so bad they removed it? This was like a few months ago?

Yep yep, Superfish in February this year:
http://www.theguardian.com/technolog...ird-party-apps

[Deleted]

bloatware and malware are not the same thing.

http://betanews.com/2015/08/13/lenov...ding-crapware/

If you read the article, you would see it is malware because,

1. not only does it have the most severe form of security vulnerability, i.e. Administrator privilege escalation
2. it also installs an unknown and undocumented program by changing an existing Windows program
3. it sends your details over the Internet and to a foreign jurisdiction
4. it downloads and installs another unknown program to your computer
5. it does all this no matter how much you wipe your computer and attempt to start over.

Good luck finding "normal" malware that is even half as dangerous as the above...

[Lava Bucket]

They acknowledged that it was a mistake and offered a reasonable fix without charge. It looks like they learned their lesson.

[TrumpIsPresident]

Before addressing the issue of bloatware I'd like to see consumer protection laws in the US force these PC mass producers to include physical stand alone media for the recovery of systems they produce.

Recovery partitions aren't always the solution, and selling the customer a recovery disk for profit is utter bullshit.

[Deleted]

It looks like they learned their lesson.

They didn't do jack fucking shit until they were ridiculed in public.

Thank goodness I haven't bought any Lenovo products and most certainly never will.

[Luxxor]

It's malware.

Lenovo is one of the worst offenders for bloatware because if you wipe it off with something like PC-Derappifier it can break stuff.

Chinese company, don't buy.

[Forgettable]

I recently cleaned a friend's Lenovo laptop... In addition to being riddled with the default Lenovo branded bloatware, it was also the most malware and spyware infected machine I have ever touched. Whether that is my friend's fault or Lenovo's, I'm not sure... But I will definitely never buy one of their products.

[Lava Bucket]

They didn't do jack fucking shit until they were ridiculed in public.

Thank goodness I haven't bought any Lenovo products and most certainly never will.

Right, they learned that if they install pernicious software in hard-to-find places that compromise security, people will find it and raise hell.

[Zomis]

So it's like every unrooted smartphone ever

[Collegeguy]

Buying a laptop from a Chinese developer... Nah don't trust.