Lenovo's Service Engine marks yet another bloatware blunder for the company

By preventing laptops and desktops from performing a truly clean install of Windows, Lenovo may have left users open to attack.

Lenovo isn't doing its reputation any favors with the discovery of another security issue around its pre-loaded PC software.

The latest issue relates to a "feature" in Lenovo's BIOS firmware that automatically downloads Lenovo software and services, even if the user has performed a clean install of Windows. Microsoft actually allows this practice, but Lenovo's particular implementation -- dubbed "Lenovo Service Engine" -- led to a security vulnerability, which an independent security researcher discovered in the April to May timeframe.

In response, Microsoft has put out security guidelines for this BIOS technique, which it calls the "Windows Platform Binary Table." Because Lenovo Service Engine doesn't meet those guidelines, Lenovo has stripped the tool from its BIOS firmware in all PCs shipped after June. The company has also released a special disabler tool, and on July 31 released a BIOS update to remove the tool from existing PCs. Dozens of consumer laptop and desktop models are affected, but Lenovo says its Think-brand PCs are not.

Why this matters

There are a couple points of concern here. First is the vulnerability itself, which has flown under the radar for months. But just as troubling is the Microsoft-sanctioned mechanism that Lenovo was using to insert its software onto clean Windows installs. (One user on HackerNews described is a "rootkit-like" technique.) It's entirely possible that other PC vendors are relying on the same mechanism for sneakily installing their own software, but just haven't run into the same security issues that Lenovo did.

A brief history of Lenovo security woes

The timing is particularly poor for Lenovo, as it's just coming off another security scandal related to bloatware. In January, researchers discovered that a pre-loaded program called Superfish Visual Discovery was able to inject advertisements into the user's web browser. In the process, Superfish was overriding the security certificates that many websites use to encrypt their data, creating a weakness that could make banking credentials and other sensitive information available to hackers.

Lenovo eventually admitted that it messed up, pushed an update that removed Superfish from affected PCs, and vowed to significantly cut down on the amount of bloatware it installs on laptops and desktops. Still, the company faces a lawsuit over the whole ordeal.

The Lenovo Service Engine issue is unrelated, though it contains at least a whiff of the creepiness that got Lenovo in trouble last time. As The Next Web points out, the software installed by Lenovo Service Engine didn't just include updates to drivers, firmware, and pre-installed apps, but also sent "system data to a Lenovo server to help us understand how customers use our products." While Lenovo says it's not collecting personally identifiable information, the collection itself may be something customers aren't aware of, and until now haven't had any control over.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags MicrosoftsecuritybecaLenovosoftware

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jared Newman

PC World (US online)
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?