Windows 8 and Windows 10 contain a surprising feature that many users will find unwelcome: PC OEMs can embed a Windows executable in their system firmware. Windows 8 and 10 will then extract this executable during boot time and run it automatically. In this way, the OEM can inject software onto a Windows machine even if the operating system was cleanly installed.
The good news is that most OEMs fortunately do not seem to take advantage of this feature. The bad news is that “most” is not “all.” Between October 2014 and April of this year, Lenovo used this feature to preinstall software onto certain Lenovo desktop and laptop systems, calling the feature the “Lenovo Service Engine.”
Microsoft provides more detailed on what, exactly, this functionality, dubbed the Windows Platform Binary Table, is supposed to be for (.docx file!), and how it works. From reading the document, it becomes clear that installing tracking software – which is what Lenovo is using this for – is not exactly what Microsoft had in mind.
The Windows PC world is such a mess.
I think it’s time to forget buying Lenovo anything. Ever. First Superphish, now this. This is malware and should be considered nothing otherwise.
I can only wonder if the same nimrod at Lenovo was responsible for both …
Thank you for linking to that Microsoft document. I was wondering what other reason there could be for Microsoft to build in this “backdoor”, but reading that document showed how much care and thought went into that decision.
A few quotes:
“One use case for WPBT is to enable anti-theft software which is required to persist in case a device has been stolen, formatted, and reinstalled”
Another: “The authenticated device owner should have the ability to disable or remove this functionality if desired.”
And the zinger: “This functionality is powerful and provides the capability for independent software vendors (ISV) and original equipment manufacturers (OEM) to have their solutions stick to the device indefinitely. Because this feature provides the ability to persistently execute system software in the context of Windows, it becomes critical that WPBT-based solutions are as secure as possible and do not expose Windows users to exploitable conditions. In particular, WPBT solutions must not include malware (i.e., malicious software or unwanted software installed without adequate user consent)”
Lenovo should simply loose their “Windows certified” qualification and do some soulsearching what they were thinking.
Had I known about this I might have bought another machine than my Yoga 3 14. I actually encountered the “LSE removal tool” on their website while looking for Windows 10 but couldn’t understand what it was for from their description. It is now removed!
Between Superfish and this, I think Microsoft should pull the trigger. It would send a message to consumers that Microsoft takes this seriously (brownie points) and at the same time send a message to OEM’s that this is not permissible.
However, I think nothing will happen. Perhaps someone should start a campaign to pressure Microsoft to do this.
“Microsoft doesn’t care.”
Hi,
If I remember correctly; there was an original “far too lame” WPBT specification that Lenovo followed where Lenovo did meet the requirements.
After it was too late, Microsoft improved their WPBT specification (and older Lenovo systems don’t meet the newer requirements).
I think you’re looking at the newer version.
– Brendan
WikiPedia has something like this: Source required!
“As a result of these findings, Microsoft recently released updated security guidelines (see page 10 of this linked PDF) on how to best implement this Windows BIOS feature. Lenovo^aEURTMs use of LSE was not consistent with these new guidelines.”
http://news.lenovo.com/article_display.cfm?article_id=2013
And thanks to http://web.archive.org/web/*/