Sign up to our newsletter
Lenovo has urged its customers to update their laptops and computers, following revelations that it had surreptitiously installed a script that meant its own unwanted software would reinstall itself even after a full Windows wipe.
In an official press release, the Chinese multinational tech company explained that its latest BIOS firmware will correct issues to do with Lenovo Service Engine (LSE).
The LSE software, which has been found to be virtually unremovable on Lenovo devices, has been widely criticised for not only reinstalling itself after being removed, but for introducing a security vulnerability to certain products.
Some of the affected devices include laptops such as the Flex 2 Pro 15, Flex 3 1120, Y40-80, Yoga 3 11, Yoga 3 14 and Z41-70/Z51-70; and desktops including A540/A740, B4030, H5055, Horizon 2 27, C5030 and X310(A78).
The issue was first brought to the attention of Lenovo in May by security researcher Roel Schouwenber. He discovered that through this software, he was able to deliver a “privilege escalation” attack.
In other words, this design flaw makes it possible for cybercriminals to gain administrator-level control over a computer.
“The vulnerability was linked to the way Lenovo utilized a Microsoft Windows mechanism in a feature found in its BIOS firmware called Lenovo Service Engine (LSE) that was installed in some Lenovo consumer PCs,” the company stated.
“Think-brand PCs are unaffected. Along with this security researcher, Lenovo and Microsoft have discovered possible ways this program could be exploited in the Lenovo Notebook implementation by an attacker, including a buffer overflow attack and an attempted connection to a Lenovo test server.”
News of this comes on the back of a similar shortcoming on the part of Lenovo. Earlier this year, the company was taken to task over “Superfish”, which was a type of adware that came preinstalled on some of its laptops.
It was revealed that Superfish had the ability to monitor user activity online and in turn suggest advertisements based on their viewing habits. However, security flaws were observed in this meaning personal information, including bank details, could be accessed.
Author Karl Thomas, ESET