Lenovo's Service Engine marks yet another bloatware blunder for the company

By preventing laptops and desktops from performing a truly clean install of Windows, Lenovo may have left users open to attack.

Lenovo isn't doing its reputation any favors with the discovery of another security issue around its pre-loaded PC software.

The latest issue relates to a "feature" in Lenovo's BIOS firmware that automatically downloads Lenovo software and services, even if the user has performed a clean install of Windows. Microsoft actually allows this practice, but Lenovo's particular implementation -- dubbed "Lenovo Service Engine" -- led to a security vulnerability, which an independent security researcher discovered in the April to May timeframe.

In response, Microsoft has put out security guidelines for this BIOS technique, which it calls the "Windows Platform Binary Table." Because Lenovo Service Engine doesn't meet those guidelines, Lenovo has stripped the tool from its BIOS firmware in all PCs shipped after June. The company has also released a special disabler tool, and on July 31 released a BIOS update to remove the tool from existing PCs. Dozens of consumer laptop and desktop models are affected, but Lenovo says its Think-brand PCs are not.

Why this matters

There are a couple points of concern here. First is the vulnerability itself, which has flown under the radar for months. But just as troubling is the Microsoft-sanctioned mechanism that Lenovo was using to insert its software onto clean Windows installs. (One user on HackerNews described is a "rootkit-like" technique.) It's entirely possible that other PC vendors are relying on the same mechanism for sneakily installing their own software, but just haven't run into the same security issues that Lenovo did.

A brief history of Lenovo security woes

The timing is particularly poor for Lenovo, as it's just coming off another security scandal related to bloatware. In January, researchers discovered that a pre-loaded program called Superfish Visual Discovery was able to inject advertisements into the user's web browser. In the process, Superfish was overriding the security certificates that many websites use to encrypt their data, creating a weakness that could make banking credentials and other sensitive information available to hackers.

Lenovo eventually admitted that it messed up, pushed an update that removed Superfish from affected PCs, and vowed to significantly cut down on the amount of bloatware it installs on laptops and desktops. Still, the company faces a lawsuit over the whole ordeal.

The Lenovo Service Engine issue is unrelated, though it contains at least a whiff of the creepiness that got Lenovo in trouble last time. As The Next Web points out, the software installed by Lenovo Service Engine didn't just include updates to drivers, firmware, and pre-installed apps, but also sent "system data to a Lenovo server to help us understand how customers use our products." While Lenovo says it's not collecting personally identifiable information, the collection itself may be something customers aren't aware of, and until now haven't had any control over.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags MicrosoftsecuritybecaLenovosoftware

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jared Newman

PC World (US online)
Show Comments

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?