A recently uncoveredÂ feature â which had been swept under the rug â allowed newÂ Lenovo laptops to use new Windows features to install the companyâs software and tools even if the computer was wiped.
The usersÂ discovered the issue in May when using a new Lenovo laptopÂ that automatically and covertly overwrote a system file on every boot, which downloaded a Lenovo updater and installed software automatically, even if Windows was reinstalled from a DVD.
The only problem is that nobody actually asked for this software, and it persisted between clean installs of Windows. Lenovo was essentially exploiting a rootkit onÂ its own laptops to ensure its software persists if wiped.
How it works
The mechanism triggering this isÂ called the Lenovo Service Engine, which downloads a program called OneKey Optimizer used for âenhancing PC performance by updating firmware, drivers and pre-installed appsÂ as well asÂ âscanning junk files and find factors that influence system performance.â
It also sends âsystem data to a Lenovo server to help us understand how customers use our productsâ but the company claims itâs not âpersonally identifiable information.â The problem is, users have no idea this is going on and it wasÂ veryÂ hard to get rid of.
If Windows 7 or 8 is installed, the BIOS of the laptop checks âC:\Windows\system32\autochk.exeâÂ to see if itâs a Microsoft file or a Lenovo-signed one, then overwrites the file with its own.
Then, when the modified autochk fileÂ is executed on boot, another two files LenovoUpdate.exe and LenovoCheck.exe are created, which set up a service and download files when connected to the internet.
Lenovo already quietly fixed part of the bug but didnât exactly make it loud and clear.
In a July 31 security bulletin it vaguely refers to a vulnerability found in the Lenovo Service Engine that found a way attackers could exploit the mechanism by using a malicious server to install software.
The companyÂ issued a patch to remove the functionality altogether between April â May of 2015, though it requires manual execution to disable the functionality. Users do not appear to receive it automatically.
Allowed by Microsoft
Hereâs the kicker: the mechanism Lenovo was using is actually a Microsoft sanctioned technique, called the âWindows Platform Binary Tableâ first introduced in November 2011 and updated for the first time in July of this year.
The document hadÂ only two mentions online before today, one from an apparent Lenovo software engineer asking for help tinkering with laptop ACPI tables.
The featureÂ allows computer manufacturers to push software for installation from the BIOS to the system, meaning itâll persist between installations of Windows regardless of itâs a clean installation or not.
The document was modified upon discovery of the Lenovo exploit to say that it exists to allow âcritical softwareâ like âanti-theft softwareâ to persist across reinstallation of operating systems, but obviously computer manufacturers like Lenovo have a different idea of what that actually means (see also: the time Lenovo installed software that hijacked secure internet traffic).
Manufacturers are obligated to ensure that the mechanism can be updated if an attack is discovered and should be removable by the user, but the rules outlined in the document are fairly loose and donât require the OEM to notify the owner of the laptop that such a mechanism is in place.
Both users reported being confused aboutÂ how Lenovo software was installed on their computers after performing an installation from a DVD.
A wide range of Lenovo laptops areÂ affected by the issue:Â Â Flex 2 Pro-15/Edge 15 (Broadwell/Haswell models),Â Flex 3-1470/1570/1120,Â G40-80/G50-80/G50-80 Touch/V3000,Â S21e,Â S41-70/U40-70,Â S435/M40-35,Â Yoga 3 14,Â Yoga 3 11,Â Y40-80,Â Z41-70/Z51-70 andÂ Z70-80 / G70-80.
A scary future
The revelation is one that makes me slightly nervous: a truly clean, untouched install of Windows is now very difficult to achieve and computer manufacturers are quietly installing software without user knowledge.
Other manufacturers could have been using the technique without user knowledge, but itâs unclear at this time.
At least thereâs good news: if you own one of these laptops you can disable the featureÂ right nowÂ by downloading the utility at this link. The bad news: it wasnât already done for you.
When we asked Lenovo for comment, they directed us back to the bulletin that describes the patch. Microsoft is yet to respond with a comment.
Itâs worth noting that almost all computers execute the autochk.exe file on boot, with an extensive white paper published earlier this year on the technique â this is just the first time weâve seen it in action.
If you have an affected laptop, let us know in the comments. Weâd love to talk to you.
Image credit: Shutterstock