Categories: PCWorkspace

Lenovo Caught Installing Unsecure Crapware Onto Laptops

Lenovo’s been caught sneaking crapware into its laptops – again. The Chinese firm sold PCs that came bundled with software featuring an exploitable security vulnerability, and is not removable.

Even if the hard drive is wiped and Windows gets a clean install, the crapware will worm its way back into the laptop’s system.

Lenovo bundled the crapware inside of its Lenovo Service Engine (LSE) – firmware that sits on the laptop’s motherboard that is activated before Windows is even launched when users switch on the laptop.

OneKey Optimizer

The LSE installs software called OneKey Optimizer (OKO) that is effectively crapware, and performs functions such as automatically updating drivers and cleaning system “junk files”.

Moreover, LSE contained a security vulnerability that left affected Lenovo laptops and PCs open to a buffer overflow attack and susceptible to attempted connections to a Lenovo test server.

HANDS UP

The affected devices were manufactured between October 23, 2014 and April 10, 2015, with Windows 8 and 8.1 preinstalled.

Lenovo said the security vulnerability was “brought to its attention” by an independent security researcher in May. On July 31, Lenovo issued a BIOS firmware update that eliminates the security vulnerability.

“In coordination with Mr. Schouwenberg [the researcher] and in line with industry responsible disclosure best practice, on July 31, 2015, we issued Lenovo Product Security Advisories, that highlighted the new BIOS firmware – specifically for consumer Notebook and Desktop,” said Lenovo.

“The vulnerability was linked to the way Lenovo utilised a Microsoft Windows mechanism in a feature found in its BIOS firmware called Lenovo Service Engine (LSE) that was installed in some Lenovo consumer PCs.

“Along with this security researcher, Lenovo and Microsoft have discovered possible ways this program could be exploited in the Lenovo Notebook implementation by an attacker, including a buffer overflow attack and an attempted connection to a Lenovo test server.”

The news comes after Lenovo was embroiled in the ‘Superfish’ debacle that affected Lenovo laptops manufactured in almost the same timeframe. Superfish was preinstalled adware that hijacked search results in favour of Lenovo’s business.

The adware used a self-signed root certificate which allowed it to collect users’ data from web browsers. The certificate allowed the software to drop advertisements into browser sessions secretly.

The Chinese firm had to apologise and issue an update to let users remove the adware in February.

Just like Superfish, the company said it has gotten rid of LSE. “As a result, LSE is no longer being installed on systems,” said the firm. “It is strongly recommended that customers update their systems with the new BIOS firmware which disables and or removes this feature.”

Job cuts

This week, Lenovo also revealed a round of job cuts at the company, with five percent of its workforce facing the chop as global sales decline. The company even witnessed low demand in its home market of China, as sales in the second quarter of 2015 dived 16 percent.

More than three thousand non-manufacturing jobs are set to be axed, said Lenovo, offering a possible saving of £416 million in the second half of the year.

The firm’s net profit fell by 51 percent compared to the same quarter last year, down $105 million (£67m). Lenovo endured particularly bad sales in its mobile division, failing to turn its 2014 $2.9 billion (£1.9bn) buyout of Motorola from Google into a success.

Ben Sullivan

Ben covers web and technology giants such as Google, Amazon, and Microsoft and their impact on the cloud computing industry, whilst also writing about data centre players and their increasing importance in Europe. He also covers future technologies such as drones, aerospace, science, and the effect of technology on the environment.

View Comments

Recent Posts

SoftBank Promises To Invest $100bn In US

Japanese tech investment firm SoftBank promises to invest $100bn during Trump's second term to create…

14 hours ago

Synopsys, SiMa.ai To Collaborate On AI Car Chips

Synopsys to work with start-up SiMa.ai on joint offering to help accelerate development of AI…

14 hours ago

AI Start-Up Basis Raises $34m For Accountancy Agent

Start-up Basis raises $34m in Series A funding round for AI-powered accountancy agent to make…

15 hours ago

Databricks Raises $10bn In Huge AI Funding Round

Data analytics and AI start-up Databricks completes huge $10bn round from major venture capitalists as…

15 hours ago

Congo Files Complaints Against Apple Over Conflict Minerals

Congo files legal complaints against Apple in France, Belgium alleging company 'complicit' in laundering conflict…

16 hours ago