Lenovo has sold laptops bundled with unremovable software that features a bonus exploitable security vulnerability.
If the crapware is deleted, or the hard drive wiped and Windows reinstalled from scratch, the laptop's firmware will quietly and automatically reinstall Lenovo's software on the next boot-up.
Built into the firmware on the laptops' motherboard is a piece of code called the Lenovo Service Engine (LSE). If Windows is installed, the LSE is executed before the Microsoft operating system is launched.
...
LenovoCheck and LenovoUpdate are executed on startup with full administrator access. Automatically, and rather rudely, they connect to the internet to download and install drivers, a system "optimizer", and whatever else Lenovo wants on your computer. Lenovo's software also phones home to the Chinese giant details of the running system.
To pull this off, the LSE exploits Microsoft's Windows Platform Binary Table (WPBT) feature. This allows PC manufacturers and corporate IT to inject drivers, programs and other files into the Windows operating system from the motherboard firmware.
The WPBT is stored in the firmware, and tells Windows where in memory it can find an executable called a platform binary to run. Said executable will take care of the job of installing files before the operating system starts.
...
security researcher Roel Schouwenberg found and reported a buffer-overflow vulnerability in the LSE that can be exploited to gain administrator-level privileges.
...
After Lenovo learned of this bug in April, it dawned on the company that its LSE was falling foul of Microsoft's security guidelines for using the powerful WPBT feature. Two months later, in June, it pulled the whole thing: the LSE software is no longer included in new laptops.
Lenovo has also pulled the LSE from new desktop machines. Incredibly, Lenovo was shipping desktop PCs that feature the LSE in their firmware. These models phone home system data, but do not install any extra software, and do not suffer from the aforementioned privilege-escalation vulnerability. The PC maker's laptops definitely do, however.
...
A tool quietly released on July 31 will uninstall the engine if it is present in your machine: it is available here for notebooks, and available here for desktops.
On Tuesday this week, Lenovo published a full list of affected desktop and notebook models. Desktop machines built between October 23, 2014 and April 10, 2015, with Windows 8 preinstalled, have the LSE inside them.
Think-branded PCs did not include the LSE, we're told.
...
Suffice to say, netizens who have discovered this creepy code on their machines are not happy.
"I had this happen to me a few weeks ago, on a new Lenovo laptop, doing a clean install with a new SSD, Windows 8 DVD and Wi-Fi turned off," a Hacker News user called chuckup said on Tuesday, on noticing Lenovo's bundleware suddenly appearing on his or her new computer.
"I couldn't understand how a Lenovo service was installed and running. Delete the file and it reappears on reboot. I've never seen anything like this before. Something to think about before buying Lenovo."
What is worrying is that all of this is pretty much what Microsoft intended. Its WPBT is engineered to allow manufacturers to painlessly inject drivers and programs into the operating system. It's supposed to be used for things like anti-theft tools, so a system can be disabled via the internet if it's stolen.
....
"Richard Stallman is sounding less and less crazy with discoveries like this," noted another Hacker News poster, referring to the Free Software Foundation supremo who has warned for decades that we're losing control of our computers.
"To think a manufacturer would essentially rootkit their own machines is testament to how bad things have become."
This comes on the back of Lenovo's Superfish scandal, in which the PC maker shipped laptops with adware on them that opened up people to man-in-the-middle eavesdropping. Miscreants could exploit the bundled crapware to snoop on victims' encrypted connections to websites.
We've asked Microsoft to explain the thinking behind its WPBT feature. The Redmond giant was not available for immediate comment.