Just when the Superfish fiasco has blown over, Lenovo is yet again being dragged into the hot seat for yet another potential security risk done for the sake of installing bloatware. The Lenovo Service Engine or LSE, which for sure will soon have a more degratory moniker, was discovered to be modifying particular Windows system files, which in turn downloads a special Lenovo software (a.k.a blaotware). The real kicker here is that LSE continues to work its magic behind the scenes even if you reformat and reinstall Windows.
The situation was reported by a user on Ars Technica’s forums but has actually been on-going behind the scenes for quite a while now. What gives LSE’s seemingly immortal power is that it actually resides in the computer’s BIOS, that part of the system that runs before any software is ever loaded and is untouchable by reformats since it doesn’t live on the data drive. The capability to have something like this actually stems from Microsoft way back in 2011. It was originally envisioned as a way to implement anti-theft checking and reporting software. Naturally, you’d want this kind of feature to outlive any attempts to reformat the system.
However, Lenovo made a different interpretation on what the feature was for. Given Microsoft’s lax rules about the mechanism, the PC maker used the facility to ensure that its “OneKey Optimizer” software remains installed no matter how many times you wipe out Windows. This bloat/crapware is advertised to do useful software maintenance but was also noted to be sending some system information to Lenovo, but promised not to send personally identifying data aside from the machine’s unique system ID. The bad news is that LSE itself was actually vulnerable to getting hacked, which opens the feature to equally immortal malware.
In an official statement, Lenovo says that it has already made available a BIOS firmware update that plugs the security hole and allows users to disable or remove LSE. In addition, all new Lenovo systems will no longer have LSE pre-installed but owners of older Lenovo computers will have to do most of the work themselves. Microsoft has also updated its security guidelines, requiring tighter security from OEMs and invalidating LSE.
While the crisis may be on its way to being solved, it does paint a rather worrying picture. The Microsoft Windows feature in question has been in existence since 2011 and the Lenovo Service Engine has been working since April. Neither have really been brought to the public’s attention until it was almost too late. Who knows how many other such features lurk silently or can be implemented in the future. And while Microsoft has tightened its guidelines, in the end it is still the OEM that makes the implementation. And as this case proves, some can slip quietly into the cracks.