Lenovo has stopped installing software which allows them to overwrite system files with their version of those files, even if you wipe the disk. They have released a patch for it and recommend that users install the fixes, especially on laptops, quickly. How they do it is quite amazing.
Lenovo has built, into the firmware of the laptops and desktops, something called Lenovo Service Engine or LSE. What LSE does is to check, on startup, if their version a file called Autochk.exe is installed in the Windows system folder. If Microsoft’s version was installed installed instead of Lenovo’s, they nuke Microsoft’s version and replace it with their own.
This is very similar to hardware based root kit malware that the NSA uses and that I have written about before. In those cases, they infect the firmware in a disk drive or on a peripheral device so that there is no way for you to delete the malware.
Once Lenovo has their somewhat-evil version of Autochk installed, every time you boot up, it looks to see if two of their programs, LenovoUpdate.exe and LenovoCheck.exe are installed on the system. If not, they copy them to the system folder.
These programs execute on startup with full system administrator privileges and download drivers and other Lenovo bloatware from the Internet without asking your permission.
The software sends personally identifiable information to Lenovo as part of this process.
What they download and install on your computer is completely up to them – they neither ask you nor tell you.
The feature in the firmware which enables this, Windows Platform Binary Table or WPBT is designed to make sure critical system files are present, however, it seems like this makes installing a Root kit a “paint by numbers” task for hackers, according to The Register.
When the Register asked Microsoft for an explanation of WPBT, all they heard was the crickets chirping – no comment.
I think Microsoft’s intentions are good here. Their strategy to sell more copies of Windows is to make things very simple so that even grandpa can use it. That means that we have to trust the PC makers to use this appropriately, which once again, Lenovo has failed at.
It also means that they have to implement it securely and we have to trust that they do that. Which Lenovo failed at.
Curiously, Lenovo did NOT install this rootkit on their Think branded computers, targeted at businesses, only on some Lenovo branded models – reinforcing the thought that they think that some of their customers cannot manage their own computers without training wheels.
Becase they got caught at it, they have now released patches for the various models that have LSE installed. Some of the patches are labelled low severity but other models, due to even more vulnerabilities found, are labelled high severity and Lenovo recommends users install those fixes ASAP.
If Lenovo was not on your DO NOT BUY list before this announcement, it should be now. First Superfish, now this. They just don’t get it.
I hope that security researchers, who found this gem, are going to be looking at what other manufacturers are doing with WPBT. Personally, I had never heard of it before yesterday.
If I was a conspiracy theorist, I might suggest that this tool could easily be manipulated by repressive governments to spy on their citizens. Which repressive government(s) I am talking about I will leave up to your imagination.
It does point out that we are really dependent on hardware and software makers to do the right thing. If some government agency comes to you and tells you to do something, doing the right thing may not be easy.
Information for this post came from The Register.