Lenovo Hit With Criticism Over Second Rootkit-Like Utility

Lenovo is under fire again for installing a covert utility on laptops and desktops that some users have compared to a rootkit.

The issue stems from a utility called the Lenovo Service Engine, that is designed to collect some system information and send it to Lenovo at the time the machine connects to the Internet. But some Lenovo users discovered that even after reinstalling a fresh version of Windows, the LSE software reinstalls itself and prompts users to install another piece of software.

“Lenovo Service Engine (LSE) is a utility in the BIOS for certain Lenovo desktop systems. It automatically sends non-personally identifiable system data to a Lenovo server one time when the system is first connected to the internet and then does not send any additional data,” Lenovo says in an advisory

In a statement, the company said it was alerted to the issue by researchers at Microsoft, as well as Roel Schouwenberg, an independent security researcher. Lenovo has released new BIOS firmware for existing laptops and desktops and said that it has stopped including the LSE utility in machines manufactured since June.

“The vulnerability was linked to the way Lenovo utilized a Microsoft Windows mechanism in a feature found in its BIOS firmware called Lenovo Service Engine (LSE) that was installed in some Lenovo consumer PCs. Think-brand PCs are unaffected. Along with this security researcher, Lenovo and Microsoft have discovered possible ways this program could be exploited in the Lenovo Notebook implementation by an attacker, including a buffer overflow attack and an attempted connection to a Lenovo test server,” the Lenovo statement says.

This is the second time in six months that Lenovo has been in hot water for a similar issue. In February researchers identified a utility called Superfish on Lenovo laptops that functions as an HTTP proxy and performs man-in-the-middle interception of requests and generates certificates for HTTPS connections. Researcher Rob Graham cracked the password for the utility, and the certificate for Superfish was the same on all affected laptops.

Suggested articles

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.