Lenovo has been caught red-handed again. Two years ago, the company was banned from supplying equipment for networks of intelligence and defense services in various countries as there were concerns with spying and hacking.

Early this year, Lenovo was caught again for selling laptops pre-installed with Superfish malware.

It looks like they have learnt from past mistakes, if it could be called that. Once again, they are in the news for the wrong reasons. It has been discovered that they have been using a hidden Windows feature to preinstall unwanted and irremovable rootkit (see Definition) software on certain Lenovo laptops and desktops.

The feature is known as “Lenovo Service Engine” (LSE) – which is a piece of code inserted into the firmware (see Definition) on the computer’s motherboard.

LSE automatically downloads and installs Lenovo’s own software during boot time before Microsoft operating system is launched, overwriting Windows operating system files.

What is worrisome is that the feature injects software that updates drivers, firmware, and other pre-installed apps Onto Windows machine, even is the system is wiped clean. This basically means that if you were to uninstall or delete Lenovo’s software programs, the LSE which is hidden in the firmware will reload the programs automatically as soon as you power-on or reboot the machine.

Many forums have criticized Lenovo for this and believed that the Chinese computer maker has installed a “bootkit” (see Definition) that survives a full system wipe-and-reinstall.

Lenovo’s admission is that, for desktops, the software doesn’t send any personally identifying information, but only basic information, including system model, date, region and system ID, to a Lenovo server. The further claim that it is only a one-time action, sending information to their only when the machine connects to the internet.

However, on laptops it is somewhat a different story. LSE installs a software program called OneKey Optimizer (OKO) that is bundled with many Lenovo laptops. According to the company, the OKO is used for enhancing computer performance by updating the firmware, drivers, and pre-installed apps, as well as “scanning junk files and find factors that influence system performance.”

OKO is known as “crapware” (see Definition), and both OKO and LSE appears to be insecure.

The good news is that since the issue was raised to Lenovo and Microsoft in April, the company was forced to stop including LSE on its new systems built since June. Lenovo has also provided firmware updates for vulnerable laptops, with instructions on how to disable the option on affected machines and clean up LSE files.

Many of Lenovo machines such as Flex and Yoga machines running operating systems such as Windows 7, Windows 8 & 8.1 are affected by this issue.

Lenovo has since released a statement that all its machines made from June onward have BIOS firmware that eliminates the problem, and that it’s no longer installing Lenovo Service Engine (LSE) on PCs.

Recommendation

To remove LSE from affected machines, follow these simple steps:

1.  Know you system type – 32bit or 64bit version of Windows.

2.  Browse to Lenovo Security Advisory, and select the link for the specific Lenovo machine.

3.  Click the “Date” button for the most recent update.

4.  Search for “Lenovo LSE Windows Disabler Tool”. Click the download button next to the version that matches your version of Windows.

5.  Open the program once it downloads and it will remove the LSE software.

Definition

1.  Rootkit – malicious software that allows an unauthorized user to maintain access to a computer by concealing programs and processes, files or data from the operating system.

2.  Firmware – software that is permanently etched into a hardware device such as keyboards, hard drive, BIOS, or video cards. It is designed to give permanent instructions to communicate with other devices and perform functions like basic input/output tasks. Without firmware, a hardware device would be non-functional.

3.  Bootkit – advanced form of rootkits, which has the ability to infect master boot record (MBR) so that the bootkit remains active even after a system reboot.

4.  Crapware – an unflattering name for unwanted software or software that doesn’t perform up to expectations.

Source

Hacker News.

The Week That Was

1.  Windows update can be intercepted to inject malware. Yes, you read that right. Security researchers have shown that hackers could intercept Windows update to deliver and inject malware in organisations. WSUS (Windows Server Update Services) allows an administrator to deploy Windows software update to servers and desktops throughout an organization. These updates come from a WSUS server and not a Microsoft server. Bu default, WSUS does not use encrypted HTTPS, but rather non-encrypted HTTP.

2.  Windows 10 continually rebooting? Some users found that their computers continually rebooting after downloading a buggy cumulative update from Microsoft. So if you planning to upgrade to Windows 10, hold on until the software giant resolves this issue. Hopefully, Microsoft has resolved this by the time you read this.

3.  Angler EK exploits recently patched IE bug to deliver ransomware. Microsoft provided a security update last month to fix a vulnerability in Internet Explorer. If you haven’t already, now is a good time to patch IE. The security hole is being exploited currently by the Angler exploit kit.

4.  Wearable devices target for ransomware. Criminals are now targeting the IoT (Intenet of Things) and wearable devices such as Android and iOS-based Smartwatches. For example, an Android ransomware app is installed in an Android wear. A smartwatch is paired with an Android phone via Bluetooth for wireless connectivity. At this point the ransomware also got pushed onto the smartwatch once the pairing was done.