The world’s No. 1 PC seller is in hot water again with some buyers after another issue of software installed by Lenovo has left users open to security risk. Hackers to news publications such as The Next Web are yelling. Lenovo says the problem has been corrected, but that’s twice this year so-called “bloatware” issues have hit the tech giant.

The latest issue is exploding after Lenovo issued a statement in February say it “promises” to deliver “a cleaner, safer PC.”

The problem is serious, as Lenovo notes in a security warning: “Severity: Severe.”

The issue goes to the very heart – or root – of a PC: The machine’s Basic Input-Output System(BIOS), which is software embedded on the motherboard

“Lenovo, Microsoft and an independent researcher have discovered possible ways this program could be exploited by an attacker, including a buffer overflow attack and an attempted connection to a Lenovo test server,” the company said.

“It is strongly recommended that customers update their systems with the new BIOS firmware which disables and or removes this feature,” Lenovo added in a separate statement.

Numerous notebooks (including two popular Yoga tablet models) and desktops are affected, although not ThinkPads, Lenovo says. Plus, it adds that the software installs have been stopped.

But outrage on the web is growing as word spreads.

  • “Lenovo used shady ‘rootkit’ tactic to quietly reinstall unwanted software,” says ZDNet. “Lenovo has been caught using a technique, often used by some malware to withstand being deleted …”
  • “Lenovo used a hidden Windows feature to ensure its software could not be deleted,” roars The Next Web. “A recently uncovered feature – which had been swept under the rug – allowed new Lenovo laptops to use a Windows feature to automatically install the company’s software and tools even if the computer was wiped.”
  • “Lenovo’s Service Engine marks yet another bloatware blunder for the company,” rips PCWorld. “By preventing laptops and desktops from performing a truly clean install of Windows, Lenovo may have left users open to attack.”

Users speak out

Says an incredulous poster at an online forum: “Unbelievable. First SuperFish, and now a UEFI-level crapware-installer-kit?”

The SuperFish scandal (adware install) erupted in January/February with Lenovo apologizing and now facing investigation.

Now comes the Lenovo install blunder as first reported by a user:

“:Hi, I discovered this issue back in May when I bought a Lenovo Y40-80 which also has this. It really pissed me off so I did quite a bit of digging into it and successfully removed it, so after running into this thread I figured I’d share what I learned.

“Before booting windows 7 or 8, the bios checks if C:\Windows\system32\autochk.exe is the Lenovo one or the original Microsoft one. If it is not the lenovo one, it moves it to C:\Windows\system32\0409\zz_sec\autobin.exe, and then writes it’s own autochk.exe. During boot, the Lenovo autochk.exe writes a LenovoUpdate.exe and a LenovoCheck.exe file to the system32 directory, and sets up a services to run one of them when an internet connection is established. I don’t know too much exactly what those do, but one appears to phone home to http://download.lenovo.com/ideapad/wind … 2_oko.json which is a bit worrying with the combination of a “ForceUpdate” parameter shown and the lack of ssl, making it fairly likely that it’s exploitable for remote code execution by anyone who can intercept your traffic(public wifi, etc).”

[Read the thread at:

http://arstechnica.com/civis/viewtopic.php?p=29497693&sid=ddf3e32512932172454de515091db014#p29497693 ]

Reboots are annoying, especially factory-mandated ones for software updates. But ones that expose users to security threats while being hidden? Talk about Big Brother potential.

“I had this happen to me a few weeks ago, on a new Lenovo laptop, doing a clean install with a new SSD, Win 8 DVD + wifi turned off. I couldn’t understand how a Lenovo service was installed and running!” a poster wrote. “Delete the file and it reappears on reboot. I’ve never seen anything like this before.”

Warned another user:

“Something to think about before buying Lenovo. I searched and found almost nothing about this, so it may be something they started doing in the last few months…”

There’s more: “You no longer have the right to own the hardware you buy. Now it has become a service subject to their terms.”

What about security?

“That Windows Platform Binary Table sounds disturbing and is ripe for being exploited,” a poster warns.

[Read more at: https://news.ycombinator.com/item?id=10039870) ]

Lenovo’s security advisory warns “Severity” High”

In a security bulletin, Lenovo warned the issue isn’t to be taken lightly.

“Severity: High”

It reads: ​

“Summary: Vulnerabilities have been identified in the Lenovo Service Engine (LSE). Lenovo has released a BIOS update to disable Lenovo Service Engine and a utility to remove services and files left on the system for systems running Windows 7, 8, 8.1 and 10. See below for a full list of notebook systems with LSE installed.

“Description: Lenovo Service Engine (LSE) is a utility in the BIOS that helps users download a program called OneKey Optimizer (http://support.lenovo.com/us/en/downloads/ds101321) on certain Lenovo Notebook systems. The utility also sends non-personally identifiable system data to Lenovo servers (see the “Other Information and References” section for a complete list).

“Lenovo, Microsoft and an independent researcher have discovered possible ways this program could be exploited by an attacker, including a buffer overflow attack and an attempted connection to a Lenovo test server.

“LSE uses the Microsoft Windows Platform Binary Table (WPBT) capability. Microsoft has recently released updated security guidelines (see link below) on how to best implement this feature. Lenovo’s use of LSE was not consistent with these guidelines and Lenovo recommends customers disable this utility by running a disabler program that disables LSE and removes the LSE files from the system. …

[For more info and how to uninstall the problem read:

https://support.lenovo.com/us/en/product_security/lse_bios_notebook ]

Here is Lenovo’s full statement on the problem.

Lenovo Statement on Lenovo Service Engine (LSE) BIOS

In the April – May timeframe, Lenovo made available new BIOS firmware for some of its consumer PCs that eliminated a security vulnerability that was discovered and brought to its attention by an independent security researcher, Roel Schouwenberg. In coordination with Mr. Schouwenberg and in line with industry responsible disclosure best practice, on July 31, 2015, we issued Lenovo Product Security Advisories, that highlighted the new BIOS firmware – specifically for consumerNotebook and Desktop. Lenovo always strongly recommends that users update their systems with the latest BIOS firmware. Starting in June, the new BIOS firmware has been installed on all newly manufactured Lenovo consumer notebook and desktop systems.  

The vulnerability was linked to the way Lenovo utilized a Microsoft Windows mechanism in a feature found in its BIOS firmware called Lenovo Service Engine (LSE) that was installed in some Lenovo consumer PCs. Think-brand PCs are unaffected. Along with this security researcher, Lenovo and Microsoft have discovered possible ways this program could be exploited in the Lenovo Notebook implementation by an attacker, including a buffer overflow attack and an attempted connection to a Lenovo test server.

As a result of these findings, Microsoft recently released updated security guidelines (see page 10 of this linked PDF) on how to best implement this Windows BIOS feature. Lenovo’s use of LSE was not consistent with these new guidelines. As a result, LSE is no longer being installed on Lenovo systems. It is strongly recommended that customers update their systems with the new BIOS firmware which disables and or removes this feature.

LSE was shipped on some Lenovo-branded notebook systems running Windows 7, 8 and 8.1 and desktop systems running Windows 8 and 8.1 as listed below. The software does not come loaded on any Think-branded PCs.

List of affected Lenovo Products:

Lenovo Notebook

  •      Flex 2 Pro 15 (Broadwell)
  •      Flex 2 Pro 15 (Haswell)
  •      Flex 3 1120
  •      Flex 3 1470/1570
  •      G40-80/G50-80/G50-80 Touch
  •      S41-70/U41-70
  •      S435/M40-35
  •      V3000
  •      Y40-80
  •      Yoga 3 11
  •      Yoga 3 14
  •      Z41-70/Z51-70
  •      Z70-80/G70-80

Lenovo Desktop
World Wide

  •      A540/A740
  •      B4030
  •      B5030
  •      B5035
  •      B750
  •      H3000
  •      H3050
  •      H5000
  •      H5050
  •      H5055
  •      Horizon 2 27
  •      Horizon 2e(Yoga Home 500)
  •      Horizon 2S
  •      C260
  •      C2005
  •      C2030
  •      C4005
  •      C4030
  •      C5030
  •      X310(A78)
  •      X315(B85)

Lenovo Desktop
China Only

  •      D3000
  •      D5050
  •      D5055
  •      F5000
  •      F5050
  •      F5055
  •      G5000
  •      G5050
  •      G5055
  •      YT A5700k
  •      YT A7700k
  •      YT M2620n
  •      YT M5310n
  •      YT M5790n
  •      YT M7100n
  •      YT S4005
  •      YT S4030
  •      YT S4040
  •      YT S5030

​Lenovo operates its global executive headquarters in Morrisville.