Lenovo firmware on laptop motherboards was not only irremovable but also posed a security risk
Lenovo’s been caught sneaking crapware into its laptops – again. The Chinese firm sold PCs that came bundled with software featuring an exploitable security vulnerability, and is not removable.
Even if the hard drive is wiped and Windows gets a clean install, the crapware will worm its way back into the laptop’s system.
Lenovo bundled the crapware inside of its Lenovo Service Engine (LSE) – firmware that sits on the laptop’s motherboard that is activated before Windows is even launched when users switch on the laptop.
The LSE installs software called OneKey Optimizer (OKO) that is effectively crapware, and performs functions such as automatically updating drivers and cleaning system “junk files”.
Moreover, LSE contained a security vulnerability that left affected Lenovo laptops and PCs open to a buffer overflow attack and susceptible to attempted connections to a Lenovo test server.
The affected devices were manufactured between October 23, 2014 and April 10, 2015, with Windows 8 and 8.1 preinstalled.
Lenovo said the security vulnerability was “brought to its attention” by an independent security researcher in May. On July 31, Lenovo issued a BIOS firmware update that eliminates the security vulnerability.
“In coordination with Mr. Schouwenberg [the researcher] and in line with industry responsible disclosure best practice, on July 31, 2015, we issued Lenovo Product Security Advisories, that highlighted the new BIOS firmware – specifically for consumer Notebook and Desktop,” said Lenovo.
“The vulnerability was linked to the way Lenovo utilised a Microsoft Windows mechanism in a feature found in its BIOS firmware called Lenovo Service Engine (LSE) that was installed in some Lenovo consumer PCs.
“Along with this security researcher, Lenovo and Microsoft have discovered possible ways this program could be exploited in the Lenovo Notebook implementation by an attacker, including a buffer overflow attack and an attempted connection to a Lenovo test server.”
The news comes after Lenovo was embroiled in the ‘Superfish’ debacle that affected Lenovo laptops manufactured in almost the same timeframe. Superfish was preinstalled adware that hijacked search results in favour of Lenovo’s business.
The adware used a self-signed root certificate which allowed it to collect users’ data from web browsers. The certificate allowed the software to drop advertisements into browser sessions secretly.
The Chinese firm had to apologise and issue an update to let users remove the adware in February.
Just like Superfish, the company said it has gotten rid of LSE. “As a result, LSE is no longer being installed on systems,” said the firm. “It is strongly recommended that customers update their systems with the new BIOS firmware which disables and or removes this feature.”
This week, Lenovo also revealed a round of job cuts at the company, with five percent of its workforce facing the chop as global sales decline. The company even witnessed low demand in its home market of China, as sales in the second quarter of 2015 dived 16 percent.
More than three thousand non-manufacturing jobs are set to be axed, said Lenovo, offering a possible saving of £416 million in the second half of the year.
The firm’s net profit fell by 51 percent compared to the same quarter last year, down $105 million (£67m). Lenovo endured particularly bad sales in its mobile division, failing to turn its 2014 $2.9 billion (£1.9bn) buyout of Motorola from Google into a success.