Lenovo has urged its users to download and update the latest BIOS firmware update that disables a controversial “unwanted software” from Lenevo PCs, notebooks and laptops.
After much criticism, Lenovo finally broke silence on the matter- unauthorized installation of certain programs in large number of Lenovo computers. The company was using a “rootkit-like” technique to install certain programs forcefully on a large number of its Windows laptops and PCs. Lenovo was using BIOS to keep track of certain applications on Windows’ system files and overwrite it on boot-up with its in-house alternative called Lenovo Service Engine (LSE).
Furthermore, a vulnerability was found in the way the company was tweaking the BIOS. The vulnerability, if exploited, allowed an attacker to gain admin-level access of the system and install malicious code. Lenovo issued a patch to fix it on July 31, but it requires manual installation.
In a public announcement, the company has now said that its latest BIOS firmware, which was released on July 31, disables the script which allowed automatic reinstallation of unwanted software even after a full Windows wipe. The vulnerability affected a large pool of Lenovo PCs and laptops including Flex 3 1120, Yoga 3 11, and Horizon 2 27 among others. All the new laptops that shipped after June 2015 aren’t affected with the said vulnerability.
“The vulnerability was linked to the way Lenovo utilised a Microsoft Windows mechanism in a feature found in its BIOS firmware called Lenovo Service Engine (LSE) that was installed in some Lenovo consumer PCs. Think-brand PCs are unaffected,” wrote Lenovo.
“Lenovo and Microsoft have discovered possible ways this program could be exploited in the Lenovo Notebook implementation by an attacker, including a buffer overflow attack and an attempted connection to a Lenovo test server.”
The update firmware is available to download from company’s website. Depending on the configuration of your BIOS, Lenovo has also put up instructions to help you install the update on your machine.
The full list of impacted products is as follows:
Lenovo notebooks: Flex 2 Pro 15 (Broadwell), Flex 2 Pro 15 (Haswell), Flex 3 1120, Flex 3 1470/ 1570, G40-80/ G50-80/ G50-80 Touch, S41-70/ U41-70, S435/ M40-35, V3000, Y40-80, Yoga 3 11, Yoga 3 14, Z41-70/ Z51-70, Z70-80/ G70-80.
Lenovo desktops (world wide): A540/ A740, B4030, B5030, B5035, B750, H3000, H3050, H5000, H5050, H5055, Horizon 2 27, Horizon 2e (Yoga Home 500), Horizon 2S, C260, C2005, C2030, C4005, C4030, C5030, X310 (A78), X315 (B85).
Lenovo desktops (China only): D3000, D5050, D5055, F5000, F5050, F5055, G5000, G5050, G5055, YT A5700k, YT A7700k, YT M2620n, YT M5310n, YT M5790n, YT M7100n, YT S4005, YT S4030, YT S4040, YT S5030.