Poor timing, Lenovo
Lenovo's reputation took a hit when it was discovered earlier this year that it was pre-installing an adware program called Superfish that ended up being a security risk, and now if faces even more criticism for what some consider a sketchy BIOS feature.
Here's the deal -- some Lenovo laptops are configured to download the company's software and utilities even after wiping the storage drive and performing a clean Windows installation. How so?
As a user on ArsTecnica's forums discovered, it's a so-called BIOS feature called Lenovo Service Engine (LSE). The way it works is when a user installs Windows, the BIOS checks for a filed called autochk.exe located in C:\Windows\system32 to determine if it came from Microsoft or is signed by Lenovo. It's then overwritten with a custom version that, upon booting up, creates two more files, LenovoUpdate.exe and LenovoCheck.exe, which initiate a service to download Lenovo's software when there's an Internet connection.
That's not all. The Next Web points out that it also sends "system data to a Lenovo server to help us understand how customers use our products." Supposedly that information doesn't include personally identifiable information, though these types of hidden or otherwise little known tricks don't instill a lot of trust.
It's also worth mentioning that the feature Lenovo took advantage of is a Microsoft sanctioned mechanism called the Windows Platform Binary Table. It was introduced in 2011 and received its first update last month, but until now, there weren't many mentions of it online.
There's a document that outlines the method, which Microsoft modified to make clear that it's it's intended for "critical software," including things like "anti-theft software." The wording seems to be in response to how Lenovo was using the feature.
To Lenovo's credit, it released a disabler tool sometime between April and May of this year, though it's not automatically downloaded to affected systems. Users must both know about the tool's existence and manually download/run it.
According to Lenovo, the feature is not present in the BIOS firmware included on all PCs shipped since June. Prior to that, several laptops, 2-in-1 systems, and desktop PCs were affected, a full list of which (along with Lenovo's statement on the matter) can be found here.
Since this was a Microsoft sanctioned feature that Lenovo was using, it's possible that other OEMs and system builders were using it as well.
Follow Paul on Google+, Twitter, and Facebook
From maximumpc
from http://bit.ly/1HGVQz7
