Share This article

For years, enthusiasts who weren’t willing to tolerate bloated OEM installs of Windows software have had a simple solution to the problem: Reformat the hard drive and install a retail copy of the operating system. While the number of people who take advantage of this option is small compared with the millions who buy laptops, that tiny loss of revenue must have significantly irked Lenovo. The company developed and deployed a method of forcing its laptops to download bundled adware and applications.

Both Windows 7 and Windows 8 laptops were targeted, but the functionality was implemented in two different ways. In Windows 7, the system checked to see if the autochk.exe file was provided by Lenovo or Microsoft. If it detected the Microsoft default file, it copied it to a different location and replaced it with an autochk.exe from Lenovo. It also writes LenovoUpdate.exe and LenovoCheck.exe to the System32 directory. All of this occurs while your new installation of Windows is booting for the first time, which means the commands and files are stored within the system BIOS. In Windows 8, the system instead copies a Microsoft file, wpbbin.exe to System32, and uses it to execute code while the BIOS is booting up. Thanks to forum readers on Ars Technica for figuring this one out.

Either way, not long after installing completely fresh versions of Windows, users were greeted with a pop-up dialog box that said: Note: This is from the product itself and not from the network. To help you continue to upgrade system firmware and software, in order to make your system more stable, safe and high performance, download and install the Lenovo system optimization software. The software download process needs to connect to the internet. Click here to read the Lenovo License Agreement LLA.

This application has been identified as the Lenovo Service Engine, or LSE. If you accept the terms, LSE downloads and runs a separate program, called OneKey Optimizer. Lenovo describes this gem as follows: “OneKey Optimizer is powerful, next-generation system optimization software designed specifically for Lenovo computers. It can enhance your PC’s performance by updating firmware, drivers, and pre-installed apps. It also provides power management schemes that can extend the life of your battery.”

Lenovo published an updated BIOS that removed this capability late last month, but that doesn’t really solve the underlying issues. It’s also not clear if Lenovo shipped this “feature” on any of the systems that contained Superfish, but Lenovo was certainly shipping it after promising to avoid crapware in the future. A full list of impacted systems is available here.

Your system isn’t yours

The first thing to understand about this issue is that Lenovo didn’t just hack in some illicit framework to deliver this software. Microsoft explicitly supports this functionality, via the Windows Platform Binary Table. This kind of overt capability could explain why the NSA went to the trouble of intercepting PC shipments intended for certain targets over the years — it knows there are ways to insert hacks directly into firmware that the end user can’t remove, even by replacing physical components.

No, this issue isn’t as terrible as Superfish, because few things are, but it’s easy to see how the ability to load programs from the UEFI image at boot could be combined with Superfish’s complete security fail to cook up some truly nasty malware payloads. When Superfish was discovered, some Lenovo fans argued that the company was guilty of failing to perform due diligence, but not guilty of deliberately compromising user security. This type of feature is something that can only happen with Lenovo’s direct involvement — it wrote the software, loaded it into the UEFI, and distributed the final product to consumers.

Lenovo’s mealy-mouthed defense of this policy is basically the same thing it said about Superfish. It begins with: In the April – May timeframe, Lenovo made available new BIOS firmware for some of its consumer PCs that eliminated a security vulnerability that was discovered and brought to its attention by an independent security researcher, Roel Schouwenberg. That wording implies that this security flaw magically made its way on to customer systems as an inadvertent “oops,” or harmless prank. Lenovo engineered the damn thing to start with.

The apologia continues: The vulnerability was linked to the way Lenovo utilized a Microsoft Windows mechanism in a feature found in its BIOS firmware called Lenovo Service Engine (LSE) that was installed in some Lenovo consumer PCs. Think-brand PCs are unaffected. (Emphasis added).

Lenovo continues to roll out the “ThinkPad PCs are unaffected” line as though this is an intrinsic positive. It’s great to know which machines are affected, but it underscores the point that Lenovo treats its business customers like actual humans and its consumer customers with contempt. Want to avoid OEM-installed garbage? Too bad. Want to surf the web without connecting to every bank site or e-commerce division in plain text? Too bad!

In February, Lenovo promised that by the time Windows 10 arrived, it would have changed its ways, mended its fences, and stopped shipping PCs that installed software that users neither wanted nor needed. Clearly the company has a long way to go to meet that goal.