Wednesday, August 12, 2015

Lenovo is inserting its own software into clean Windows installs via BIOS – but is Microsoft actually to blame? [UPDATED]

bios-chip


which a Lenovo spokesperson tells us was published "late last night US time" the firm calls the BIOS writing phenomena a "security vulnerability" which was "linked to a way Lenovo utilised a Microsoft Windows mechanism in a feature found in its BIOS firmware called Lenovo Service Engine".

This appears to be a direct reference to the way Lenovo has tooled its systems to use Microsoft's WPBT to rewrite BIOS instructions.

Lenovo's LSE is apparently now "no longer being installed on Lenovo systems" and the company has also released a BIOS flash which "disables and or removes this feature".

Computing is waiting to hear what the criteria is for either disabling or removing the LSE with specific models or configurations.

The release also contains an exhausative list of affected models, none of which, Lenovo alleges, is in the "Think-branded" PC series.

[ORIGINAL STORY]

Lenovo is reportedly using rootkit-style techniques to put its own software on to clean Windows installs by programming the BIOS of its machines to overwrite Windows system files every time the hardware boots.

Following on from the customer fallout around the SuperFish "adware" that Lenovo was pre-installing onto Windows machines before they were released to retailers, it seems that the hardware company may be still loading its own adware, but that it has got more astute about it.

First discussed in a forum thread at Ars Technica several days ago, the given example was a Lenovo Y40-80 laptop. The BIOS trick was found to affect both Windows 7 and 8.

According to the post, before booting into Windows, the system BIOS checks the file C:\Windows\system32\autochk.exe, and if this file is the original Microsoft version and not Lenovo's own, it is moved to a temporary file area and the Lenovo BIOS then writes its own version of autochk.exe, which is equipped to run LenovoUpdate.exe and LenovoCheck.exe to Windows' system32 folder, and instructed to run one or both of these .exe files when the system connects to the internet.

Reportedly, the only way to remove the offending BIOS write loop is to flash the BIOS directly, which is complex and risky - potentially ending in a "bricked" system if the BIOS flash fails.

Forum posters at "Hacker News" source Ycombinator.com and Reddit, however, have begun discussing how far the issue is Lenovo's direct work, and how much simply a direct exploitation of a facility Microsoft has built into Windows.

The Windows Platform Binary Table is built into Windows and, by all reports, cannot be turned off.

Microsoft quotes this function as allowing "a platform [to] be provisioned with the Windows operating system by entities including an enterprise, a system reseller or an end-user customer".

"If the platform has drivers, system services or executable files that are integral to the platform, the platform binaries must either be distributed as part of the Windows image or they must be injected into the Windows image by each of the possible provisioning entities," Microsoft's literature continues.

It is debatable whether - taking Lenovo's history into account - executables that may result in nothing more than adware or general transfer of user data for commercial gain can be considered "integral".

In terms of BIOS use for such purposes as Lenovo's, Microsoft's own literature describes a process whereby a "hooking process" can be achieved by way of a "BIOS interrupt service". This is "not trivial and should be taken into consideration when designing a BIOS solution that publishes a WPBT [Windows Platform Binary Table], the literature warns.

It should also be noted that "the guidance and requirements to use WPBT functionality has been updated for the Windows 10 timeframe," as stated by Microsoft in its literature.

Computing has contacted Microsoft for further details and comment on its precise policies when working with OEMs on hardware devices that run Windows, and to what extent it allows OEMs to insert software that, effectively, cannot be disabled.

No comments:

Post a Comment