Lenovo's Superfish bloatware scandal reveals a sneaky tactic we thought Microsoft had started

Discussion in 'Security and Anti-Virus Software' started by Phoenix, Sep 6, 2017.

  1. Phoenix

    Phoenix Super Tweaker

    Reputations:
    8,188
    Messages:
    14,697
    Likes Received:
    18,643
    Trophy Points:
    931
  2. don_svetlio

    don_svetlio Notebook Virtuoso

    Reputations:
    226
    Messages:
    3,083
    Likes Received:
    1,497
    Trophy Points:
    231
    Correct me if wrong but this was only on machines which were pre-installed with an OS. Anyone doing a clean install on their own drives wasn't affected from what I remember.
     
  3. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    3,627
    Messages:
    13,486
    Likes Received:
    15,607
    Trophy Points:
    931
    For 2015:

    CAUGHT: Lenovo crams unremovable crapware into Windows laptops – by hiding it in the BIOS
    How Microsoft made it possible, and how to truly purge it
    https://www.theregister.co.uk/2015/08/12/lenovo_firmware_nasty/

    "Lenovo has sold laptops bundled with unremovable software that features a bonus exploitable security vulnerability.

    If the crapware is deleted, or the hard drive wiped and Windows reinstalled from scratch, the laptop's firmware will quietly and automatically reinstall Lenovo's software on the next boot-up...
    Built into the firmware on the laptops' motherboard is a piece of code called the Lenovo Service Engine (LSE). If Windows is installed, the LSE is executed before the Microsoft operating system is launched.

    The LSE makes sure C:\Windows\system32\autochk.exe is Lenovo's variant of the autochk.exe file; if Microsoft's official version is there, it is moved out of the way and replaced. The executable is run during startup, and is supposed to check the computer's file system to make sure it's free of any corruption.

    Lenovo's variant of this system file ensures LenovoUpdate.exe and LenovoCheck.exe are present in the operating system's system32 directory, and if not, it will copy the executables into that directory during boot up. So if you uninstall or delete these programs, the LSE in the firmware will bring them back during the next power-on or reboot.

    LenovoCheck and LenovoUpdate are executed on startup with full administrator access. Automatically, and rather rudely, they connect to the internet to download and install drivers, a system "optimizer", and whatever else Lenovo wants on your computer. Lenovo's software also phones home to the Chinese giant details of the running system.

    To pull this off, the LSE exploits Microsoft's Windows Platform Binary Table (WPBT) feature. This allows PC manufacturers and corporate IT to inject drivers, programs and other files into the Windows operating system from the motherboard firmware.

    The WPBT is stored in the firmware, and tells Windows where in memory it can find an executable called a platform binary to run. Said executable will take care of the job of installing files before the operating system starts.

    "During operating system initialization, Windows will read the WPBT to obtain the physical memory location of the platform binary," Microsoft's documentation states.

    "The binary is required to be a native, user-mode application that is executed by the Windows Session Manager during operating system initialization. Windows will write the flat image to disk, and the Session Manager will launch the process."

    Crucially, the WPBT documentation stresses:

    The primary purpose of WPBT is to allow critical software to persist even when the operating system has changed or been reinstalled in a “clean” configuration ... Because this feature provides the ability to persistently execute system software in the context of Windows, it becomes critical that WPBT-based solutions are as secure as possible and do not expose Windows users to exploitable conditions.
    Oh dear. Secure as possible? Not in this case: security researcher Roel Schouwenberg found and reported a buffer-overflow vulnerability in the LSE that can be exploited to gain administrator-level privileges.

    After Lenovo learned of this bug in April, it dawned on the company that its LSE was falling foul of Microsoft's security guidelines for using the powerful WPBT feature. Two months later, in June, it pulled the whole thing: the LSE software is no longer included in new laptops.

    Lenovo has also pulled the LSE from new desktop machines. Incredibly, Lenovo was shipping desktop PCs that feature the LSE in their firmware. These models phone home system data, but do not install any extra software, and do not suffer from the aforementioned privilege-escalation vulnerability. The PC maker's laptops definitely do, however.

    Owners of LSE-afflicted computers urged to update their firmware
    A tool quietly released on July 31 will uninstall the engine if it is present in your machine: it is available here for notebooks, and available here for desktops.

    On Tuesday this week, Lenovo published a full list of affected desktop and notebook models. Desktop machines built between October 23, 2014 and April 10, 2015, with Windows 8 preinstalled, have the LSE inside them.

    Think-branded PCs did not include the LSE, we're told.

    "Lenovo Service Engine (LSE) is a utility in the BIOS that helps users download a program called OneKey Optimizer on certain Lenovo Notebook systems. The utility also sends non-personally identifiable system data to Lenovo servers," the Chinese goliath explained. "Lenovo, Microsoft and an independent researcher have discovered possible ways this program could be exploited by an attacker, including a buffer overflow attack and an attempted connection to a Lenovo test server."

    The PC biz continued:

    LSE uses the Microsoft Windows Platform Binary Table (WPBT) capability. Microsoft has recently released updated security guidelines on how to best implement this feature. Lenovo’s use of LSE was not consistent with these guidelines and Lenovo recommends customers disable this utility by running a disabler program that disables LSE and removes the LSE files from the system.

    The LSE functionality has been removed from newly manufactured systems.

    Without this climbdown, it would have been virtually impossible for users to remove the rootkit-like engine from the firmware. El Reg hopes other manufacturers aren't doing the same with the WPBT.

    The fallout
    Suffice to say, netizens who have discovered this creepy code on their machines are not happy.

    "I had this happen to me a few weeks ago, on a new Lenovo laptop, doing a clean install with a new SSD, Windows 8 DVD and Wi-Fi turned off," a Hacker News user called chuckup said on Tuesday, on noticing Lenovo's bundleware suddenly appearing on his or her new computer.

    "I couldn't understand how a Lenovo service was installed and running. Delete the file and it reappears on reboot. I've never seen anything like this before. Something to think about before buying Lenovo."

    What is worrying is that all of this is pretty much what Microsoft intended. Its WPBT is engineered to allow manufacturers to painlessly inject drivers and programs into the operating system. It's supposed to be used for things like anti-theft tools, so a system can be disabled via the internet if it's stolen.

    But it also turns rootkit development and installation into a painting-by-the-numbers exercise. Lenovo got caught because its engine had crap security. And it sounds as though Microsoft pressured Lenovo to kill it.

    "Richard Stallman is sounding less and less crazy with discoveries like this," noted another Hacker News poster, referring to the Free Software Foundation supremo who has warned for decades that we're losing control of our computers.

    "To think a manufacturer would essentially rootkit their own machines is testament to how bad things have become."

    This comes on the back of Lenovo's Superfish scandal, in which the PC maker shipped laptops with adware on them that opened up people to man-in-the-middle eavesdropping. Miscreants could exploit the bundled crapware to snoop on victims' encrypted connections to websites.

    We've asked Microsoft to explain the thinking behind its WPBT feature. The Redmond giant was not available for immediate comment."
     
    Last edited: Sep 6, 2017
    Papusan and Phoenix like this.
  4. Fluffyfurball

    Fluffyfurball Notebook Consultant

    Reputations:
    45
    Messages:
    100
    Likes Received:
    29
    Trophy Points:
    41
    This wasn't on the Thinkpads, right? You know, considering I own a Thinkpad now. :confused:
     
    hmscott likes this.
  5. don_svetlio

    don_svetlio Notebook Virtuoso

    Reputations:
    226
    Messages:
    3,083
    Likes Received:
    1,497
    Trophy Points:
    231
    No, ThinkPads have never been affected by this crap afaik.

    Also, I love ya @hmscott , but that's not SuperFish :p
     
    hmscott likes this.
  6. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    3,627
    Messages:
    13,486
    Likes Received:
    15,607
    Trophy Points:
    931
    Do you think this is funny Don? We are talking about not trusting Lenovo, pure and simple, every year there are new Lenovo "tricks" found to abridge our privacy and security. Below shows the same is true for the Thinkpad lineup, all of Lenovo's hardware firmware has been found with exploits, including servers.

    That's why the US Government and Military have stopped buying Lenovo hardware, and that's enough for me to stop recommending Lenovo to anyone. Given the long term and continuing to this day security problems with Lenovo it's clear none of their line of hardware is "safe" to recommend.

    Here We Go Again: Lenovo and Another Security Issue aka ThinkPwn
    http://www.nationalcybersecurityins...novo-and-another-security-issue-aka-thinkpwn/

    New 0day vulnerability in Lenovo firmware found by Dmytro Oleksiuk aka Cr4sh
    https://www.peerlyst.com/posts/new-...ound-by-dmytro-oleksiuk-aka-cr4sh-newswatcher

    Exploring and exploiting Lenovo firmware secrets
    http://blog.cr4.sh/2016/06/exploring-and-exploiting-lenovo.html
     
    Last edited: Sep 6, 2017
    Falkentyne, Papusan and Phoenix like this.
  7. don_svetlio

    don_svetlio Notebook Virtuoso

    Reputations:
    226
    Messages:
    3,083
    Likes Received:
    1,497
    Trophy Points:
    231
    I don't find it funny, no. I just think the whole ordeal is blown out of proportion.
     
    hmscott likes this.
  8. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    3,627
    Messages:
    13,486
    Likes Received:
    15,607
    Trophy Points:
    931
    Your tone in the last reply was like this was some kind of game, a funny game to enjoy and exploit for chuckles.

    Like a BIOS exploit put in by Lenovo to keep installing their malware into fresh installs of Windows is a funny thing, blown all out of proportion.

    Like, "it couldn't happen to me", so why worry about it?

    You are recommending hardware to people, lots of people and many of them might not think it's so funny as these issues are serious to them and they might be the kind of targets of interest that should be concerned.

    When you make recommendations for Lenovo hardware you are putting those people at risk.

    And, that's not funny, or blown out of proportion, it's serious.

    4 Security Reasons That Explain Why You Should Avoid Lenovo PCs
    http://www.makeuseof.com/tag/security-failings-demonstrate-avoid-lenovo/

    "It’s happened again. Like a dodgy employee with their hand caught in the till and given one last chance, Chinese computer and smartphone manufacturer Lenovo has been pushing flawed bloatware on its users.

    Just 12 months after Superfish threatened to undermine the company’s reputation, this latest incident demonstrates one very clear point: Lenovo PCs are bad for your online security. Let’s look at why the time has come to start looking elsewhere for affordable computers."
     
    Falkentyne, Papusan and Phoenix like this.
  9. don_svetlio

    don_svetlio Notebook Virtuoso

    Reputations:
    226
    Messages:
    3,083
    Likes Received:
    1,497
    Trophy Points:
    231
    I mean, every single piece of software we have installed collects data. Hell, Microsoft's own OS is probably the biggest offender. We can't escape it, no matter how hard we try.
     
    hmscott likes this.
  10. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    3,627
    Messages:
    13,486
    Likes Received:
    15,607
    Trophy Points:
    931
    Now that *IS* funny :)

    That's the kind of ridiculous blanket statement rejecting the reality of the situation that the victim makes in a Scifi / Horror movie just before their head is eaten by the monster. "We can't escape, we're doomed!!" *munch*

    It's not impossible to get safe enough to keep you're head, you just have to use it. :confused::p:eek::D
     
    Falkentyne, Papusan and Phoenix like this.

Share This Page