Lenovo has reportedly been caught using a "rootkit-like" technique to forcefully install a bunch of software on its Windows-powered machines. The largest PC vendor is said to be using the BIOS to track a certain application in Windows' system files and overwrite it on boot up with its own programs. Furthermore, the mechanism the company utilises to tweak the BIOS is vulnerable and can be used to install malicious code. Lenovo has issued a patch to remove the vulnerability, but users will have to download and install it manually.
Multiple users report that the Chinese computer manufacturer is covertly installing its software on Windows-powered computers. One person who goes by the username 'chuckup' on Hacker News, notes that a Lenovo service gets installed on the machine even after performing a clean OS install on a new SSD using a Windows 8 DVD.The company is installing an application called "Lenovo Updater" using a mechanism that appears to resemble a rootkit, an unauthorised way to gain access, on its computers using something called Lenovo Service Engine (LSE) to download a program called OneKey Optimiser (OKO).
Here's how the company describes this application, it "is powerful, next-generation system optimization software designed specifically for Lenovo computers. It can enhance your PC's performance by updating firmware, drivers, and pre-installed apps. It also provides power management schemes that can extend the life of your battery."But that's not all. As The Next Web, points out the application also sends data to Lenovo server to help them "understand how customers use [their] products." A predefined setting made to the BIOS forces it to verify a program called "autochk.exe" (found here: Windows\system32) to see whether it is signed by Microsoft or Lenovo. In case of the former, it seemingly overwrites the file with its own.
This application then creates LenovoUpdate.exe and LenovoCheck.exe programs which further download more files when the computer establishes a connection with the Internet.
If that wasn't dubious enough, a vulnerability was found in the way Lenovo uses Lenovo Service Engine to download files. The company issued a patch to remove the functionality on July 31, but it will have to be downloaded and installed manually. An advisory on Lenovo's official support site notes that a number of laptops and desktops including Yoga 3 14 and Z70-80 / G70-80 are vulnerable to the attack.
The vulnerability once again raises concerns about an OEM's authority over the software it loads on its systems. Lenovo was widely criticised earlier this year over the Superfish fiasco wherein one of the apps it preloaded was categorised as adware.
Microsoft allows manufacturers to make changes to BIOS and even allows them to push software for installation from BIOS. However, a manufacturer ideally needs to update the mechanism if a vulnerability is detected in it.