Windows 8 and Windows 10 contain a surprising feature that many users will find unwelcome: PC OEMs can embed a Windows executable in their system firmware.
Advertisement
An user discovered the rootkit when a file on his Lenovo laptop was automatically overwritten every time he rebooted his computer.
The good news is that most OEMs fortunately do not seem to take advantage of this feature. (If you are connected to the internet, it will send some system data back to Lenovo as well). According to a security bulletin issued by the company, LSE could be exploited by hackers to infect machines. OneKey Optimizer arguably falls into the “crapware” category. The software optimizes the PC by, “updating firmware, drivers, and pre-installed apps”.
Making this rather worse is that LSE and/or OKO appear to be insecure. Lenovo has posted a list of affected laptops and a disabler tool.
The issue was spotted by a poster on our own forums.
Even if the machine has a clean install – the hard disk wiped – the PC’s firmware downloads and installs a new copy. The company developed and deployed a method of forcing its laptops to download bundled adware and applications. This is a collection of “anti-theft” and “system optimization” software which would be classed by many people as junk.
The Windows Platform Binary Table is built into Windows and, by all reports, can not be turned off. This is all governed by a specification called ACPI, Advanced Configuration and Power Interface. When it boots, Windows looks for a WPBT.
The first thing to understand about this issue is that Lenovo didn’t just hack in some illicit framework to deliver this software. “As it has been proven Lenovo was forcibly installing vulnerable binaries on the operating system – in this case no anti-virus or OS reinstallation would be able to rescue the laptop”.
It said that as a result of these findings, Microsoft recently released updated security guidelines on how to best implement this Windows BIOS feature.
Reportedly, the only way to remove the offending BIOS write loop is to flash the BIOS directly, which is complex and risky – potentially ending in a “bricked” system if the BIOS flash fails. LoJack firmware, for example, traditionally ships in a “disabled” state and requires user intervention to enable.
Tweets and comments on this all reflect the same sentiment, “The Lenovo brand is now synonymous with dodgyness and anyone using it should treat its products with great suspicion”.
Advertisement
In this instance, the feature is being used to push Lenovo Service Engine (LSE) software (usually preinstalled on Lenovo systems) to computers.
