Lenovo's Service Engine marks yet another bloatware blunder for the company

By preventing laptops and desktops from performing a truly clean install of Windows, Lenovo may have left users open to attack.

Lenovo isn't doing its reputation any favors with the discovery of another security issue around its pre-loaded PC software.

The latest issue relates to a "feature" in Lenovo's BIOS firmware that automatically downloads Lenovo software and services, even if the user has performed a clean install of Windows. Microsoft actually allows this practice, but Lenovo's particular implementation -- dubbed "Lenovo Service Engine" -- led to a security vulnerability, which an independent security researcher discovered in the April to May timeframe.

In response, Microsoft has put out security guidelines for this BIOS technique, which it calls the "Windows Platform Binary Table." Because Lenovo Service Engine doesn't meet those guidelines, Lenovo has stripped the tool from its BIOS firmware in all PCs shipped after June. The company has also released a special disabler tool, and on July 31 released a BIOS update to remove the tool from existing PCs. Dozens of consumer laptop and desktop models are affected, but Lenovo says its Think-brand PCs are not.

Why this matters

There are a couple points of concern here. First is the vulnerability itself, which has flown under the radar for months. But just as troubling is the Microsoft-sanctioned mechanism that Lenovo was using to insert its software onto clean Windows installs. (One user on HackerNews described is a "rootkit-like" technique.) It's entirely possible that other PC vendors are relying on the same mechanism for sneakily installing their own software, but just haven't run into the same security issues that Lenovo did.

A brief history of Lenovo security woes

The timing is particularly poor for Lenovo, as it's just coming off another security scandal related to bloatware. In January, researchers discovered that a pre-loaded program called Superfish Visual Discovery was able to inject advertisements into the user's web browser. In the process, Superfish was overriding the security certificates that many websites use to encrypt their data, creating a weakness that could make banking credentials and other sensitive information available to hackers.

Lenovo eventually admitted that it messed up, pushed an update that removed Superfish from affected PCs, and vowed to significantly cut down on the amount of bloatware it installs on laptops and desktops. Still, the company faces a lawsuit over the whole ordeal.

The Lenovo Service Engine issue is unrelated, though it contains at least a whiff of the creepiness that got Lenovo in trouble last time. As The Next Web points out, the software installed by Lenovo Service Engine didn't just include updates to drivers, firmware, and pre-installed apps, but also sent "system data to a Lenovo server to help us understand how customers use our products." While Lenovo says it's not collecting personally identifiable information, the collection itself may be something customers aren't aware of, and until now haven't had any control over.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags MicrosoftsecuritybecaLenovosoftware

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jared Newman

PC World (US online)
Show Comments

Cool Tech

Crucial Ballistix Elite 32GB Kit (4 x 8GB) DDR4-3000 UDIMM

Learn more >

Gadgets & Things

Lexar® Professional 1000x microSDHC™/microSDXC™ UHS-II cards

Learn more >

Family Friendly

Lexar® JumpDrive® S57 USB 3.0 flash drive 

Learn more >

Stocking Stuffer

Plox Star Wars Death Star Levitating Bluetooth Speaker

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?