Lenovo has urged its users to download the latest BIOS firmware update that disables a controversial "unwanted software" from its machines. Amid strong criticism after the revelation of "surreptitious" installation of certain programs in a large number of Lenovo PCs and laptops, the world's largest PC manufacturer has broken its silence on the matter.
The company was thrown under the last week when several users started to report that the PC manufacturer was using a "rootkit-like" technique to forcefully install a bunch of software on its Windows-powered PCs and laptops. Lenovo was using BIOS to keep track of certain applications on Windows' system files and overwrite it on boot-up with its in-house alternative called Lenovo Service Engine (LSE).
Furthermore, a vulnerability was found in the way the company was tweaking the BIOS. The vulnerability, if exploited, allowed an attacker to gain admin-level access of the system and install malicious code. Lenovo issued a patch to fix it on July 31, but it requires manual installation.
In a public announcement, the company has now said that its latest BIOS firmware, which was released on July 31, disables the script which allowed automatic reinstallation of unwanted software even after a full Windows wipe. The vulnerability affected a large pool of Lenovo PCs and laptops including Flex 3 1120, Yoga 3 11, and Horizon 2 27 among others. All the new laptops that shipped after June 2015 aren't affected with the said vulnerability.
"The vulnerability was linked to the way Lenovo utilised a Microsoft Windows mechanism in a feature found in its BIOS firmware called Lenovo Service Engine (LSE) that was installed in some Lenovo consumer PCs. Think-brand PCs are unaffected," wrote Lenovo.
"Lenovo and Microsoft have discovered possible ways this program could be exploited in the Lenovo Notebook implementation by an attacker, including a buffer overflow attack and an attempted connection to a Lenovo test server."
The update firmware is available to download from company's website. Depending on the configuration of your BIOS, Lenovo has also put up instructions to help you install the update on your machine.
The full list of impacted products is as follows:
Lenovo notebooks: Flex 2 Pro 15 (Broadwell), Flex 2 Pro 15 (Haswell), Flex 3 1120, Flex 3 1470/ 1570, G40-80/ G50-80/ G50-80 Touch, S41-70/ U41-70, S435/ M40-35, V3000, Y40-80, Yoga 3 11, Yoga 3 14, Z41-70/ Z51-70, Z70-80/ G70-80.
Lenovo desktops (world wide): A540/ A740, B4030, B5030, B5035, B750, H3000, H3050, H5000, H5050, H5055, Horizon 2 27, Horizon 2e (Yoga Home 500), Horizon 2S, C260, C2005, C2030, C4005, C4030, C5030, X310 (A78), X315 (B85).
Lenovo desktops (China only): D3000, D5050, D5055, F5000, F5050, F5055, G5000, G5050, G5055, YT A5700k, YT A7700k, YT M2620n, YT M5310n, YT M5790n, YT M7100n, YT S4005, YT S4030, YT S4040, YT S5030.
This is the second time the company has been caught indulging in installation of "unwanted software" on its machines. In February, Lenovo was found shipping its Windows-powered machines with an adware called "Superfish" pre-installed.