Slashdot Mirror

Leonovo will add $7.3 million into a $1M fund settling a class action lawsuit over their undisclosed pre-installation of Superfish's targeting adware on 28 different laptop models in 2014.

Within one year the U.S. Department of Homeland Security had warned that the adware made laptops vulnerable to SSL spoofing, allowing the reading of encrypted web traffic and the redirecting of traffic from official websites to spoofs, while according to Bloomberg the original software itself also "could access customer Social Security numbers, financial data, and sensitive heath information, the court said."

An anonymous reader quotes Softpedia: According to a "SuperFish Vulnerability" advisory published by Lenovo on their support website following the discovery of the pre-installed software by consumers, the VisualDiscovery comparison search engine software was designed to work in the background, intercepting HTTP(S) traffic with the help of a self-signed root certificate that allowed it to decrypt and monitor all traffic, encrypted or not.... "VisualDiscovery was installed on nearly 800,000 Lenovo laptops sold in the United States between September 1, 2014 and February 28, 2015," also states the settlement agreement. "On January 18, 2015, in response to mounting complaints about the effects of VisualDiscovery, Lenovo instructed Superfish to turn it off at the server level...."

Out of the 800,000 who bought the laptops that came with VisualDiscovery pre-installed, the 500,000 ones who registered their devices with Lenovo or bought them from retailers such as Best Buy and Amazon will be contacted directly by the Chinese company and informed about the settlement agreement. The rest of the customers who cannot be reached straightaway will be targeted by Lenovo using multiple online advertising platforms, from Google to Twitter and Facebook.
A separate settlement with the FTC in 2017 was criticized for its failure to fine Lenovo -- though it did require the company to get affirmative consent for any future adware programs, plus regular third-party audits of its bundled software for the next 20 years.

A recently discovered bug in many Bluetooth firmware and OS drivers could allow an attacker within about 30 meters to capture and decrypt data shared between Bluetooth-paired devices. Researchers at the Israel Institute of Technology discovered the flaw, which was flagged today by Carnegie Mellon University CERT. It affects Bluetooth's Secure Simple Pairing and Low Energy Secure Connections. ZDNet reports: As the CERT notification explains, the vulnerability is caused by some vendors' Bluetooth implementations not properly validating the cryptographic key exchange when Bluetooth devices are pairing. The flaw slipped into the Bluetooth key exchange implementation which uses the elliptic-curve Diffie-Hellman (ECDH) key exchange to establish a secure connection over an insecure channel. This may allow a nearby but remote attacker to inject a a bogus public key to determine the session key during the public-private key exchange. They could then conduct a man-in-the-middle attack and "passively intercept and decrypt all device messages, and/or forge and inject malicious messages." Thankfully, patches are on the way. "Intel recommended users upgrade to the latest support driver and to check with vendors if they have provided one in their respective updates," reports ZDNet. "Dell has released a new driver for the Qualcomm driver it uses while Lenovo's update is for the flaw in Intel software. LG and Huawei have referenced fixes for CVE-2018-5383 in their respective July updates for mobile devices." It is not yet known if Android, Google, or the Linux kernel are affected. Apple has released a patch for the flaw earlier this month.

An anonymous reader quotes a report from The Verge: Brace yourself for laptops with 128GB of RAM because they're coming. Today, Lenovo announced its ThinkPad P52, which, along with that massive amount of memory, also features up to 6TB of storage, up to a 4K, 15.6-inch display, an eighth-gen Intel hexacore processor, and an Nvidia Quadro P3200 graphics card. The ThinkPad also includes two Thunderbolt three ports, HDMI 2.0, a mini DisplayPort, three USB Type-A ports, a headphone jack, and an Ethernet port. The company hasn't announced pricing yet, but it's likely going to try to compete with Dell's new 128GB-compatible workstation laptops. The Dell workstation laptops in question are the Precision 7730 and 7530, which are billed as "ready for VR" mobile workstations. According to TechRadar, "These again run with either 8th-gen Intel CPUs or Xeon processors, AMD Radeon WX or Nvidia Quadro graphics, and the potential to specify a whopping 128GB of 3200MHz system memory."

Today, AMD announced the global release and broad adoption of AMD Ryzen Pro desktop processors. At its launch event in New York City, the company touted three main pillars that define these chipsets: reliability, security, and performance. They support features like Trusted Platform Module 2.0, which integrates secure microcontrollers into devices, GuardMI technology, which enables silicon-level security to help protect against threats, and SenseMI technology, which consists of a collection of smart features that aims to fine-tune performance for most responsive applications. For the first time, AMD has partnered with the top three PC OEMs: HP, Dell and Lenovo. Brad Chacos for PCWorld provides a "rundown of the commercial-focused Ryzen Pro systems that are coming down the pipeline, straight from AMD":

-Dell Optiplex 5055 desktop PCs are expected to ship in the coming weeks.
-HP EliteDesk 705 desktop PCs are expected to ship in the coming weeks.
-Lenovo ThinkCentre M715 desktop PCs are expected to ship in the coming weeks.
-Lenovo ThinkPad A475 and A275 notebook PCs are expected in Q4 2017.
-Ryzen PRO mobile processors are scheduled for launch in the first half of 2018.

The global launch of the Ryzen Pro processors is not the only bit of news AMD announced. The company also announced the release of a new budget Threadripper 1900X model. From a report via TechRadar: AMD has released its 8-core Ryzen Threadripper 1900X processor, offering people who were put off by high price of the flagship 16-core Threadripper 1950X a chance to build a PC with all of the advanced Threadripper features for almost half the cash. As we expected, the Threadripper 1900X will come with eight cores clocked at 3.8GHz, with a turbo that reaches 4.0GHz (and an XFR boost to 4.2GHz), and will cost $549 -- almost half the Threadripper 1950X's $999 asking price, and a fair bit cheaper than the mid-range Threadripper 1920X, which costs $799. In fact, the price is within touching distance of the AMD Ryzen 7 1800X, which comes with eight cores and 16 threads, and costs $499.

Reader kruug writes: Several users noted certain new Lenovo machines' SSDs are locked in a RAID mode, with AHCI removed from the BIOS. Windows is able to see the SSD while in RAID mode due to a proprietary driver, but the SSD is hidden from Linux installations -- for which such a driver is unavailable. Speaking to The Register today, a Lenovo spokesperson claimed the Chinese giant "does not intentionally block customers using other operating systems on its devices and is fully committed to providing Linux certifications and installation guidance on a wide range of products."
Complaints on Lenovo's forums suggest that users have been unable to install GNU/Linux operating systems on models from the Yoga 900S to the Ideapad 710S, with one 19-page thread going into detail about the BIOS issue and users' attempts to work around it.

An anonymous reader writes: At IFA in Berlin, Lenovo announced the Yoga Book, a laptop that measures in at just 0.38-inches thick, making it the thinnest laptop currently available. In order for it to retain such a slim profile, the keyboard needed to be redesigned. The Yoga Book features what is called the Halo Keyboard, a touchscreen keyboard that is separated from the display and doubles as a drawing tablet. Gizmodo reports: "Officially it's called the Halo Keyboard, and if you've ever tried to quickly type on a tablet's software keyboard than you'll be familiar with the experience. Only it's a little nicer because the keyboard is separated from the display, so it doesn't suck up screen real estate, and it has a pleasantly rough texture. It's also got haptic feedback, which in the case of a touchscreen keyboard is sort of like sticking lipstick on the pig. A press of a button turns the keys off and turns the keyboard into a drawing tablet. From there, it behaves a lot like a Wacom tablet, directly reporting pen input into your chosen app. It even reads pen inputs through paper laid over the input panel." Some other specs of this 2-in-1 laptop/tablet include an Intel Atom processor, 64GB of onboard storage with support for a microSD card, 13 hours of battery life, 4G LTE, 802.11 AC Wi-Fi, front and rear cameras, and a 10.1-inch, 1080p display.

Long-time Slashdot reader itwbennett writes: Lenovo is advising users to upgrade to version 3.3.003 of Lenovo Solution Center (LSC), which includes fixes for two high-severity vulnerabilities in the tool. [The tool] allows users to check their system's virus and firewall status, update their Lenovo software, perform backups, check battery health, get registration and warranty information and run hardware tests.

The CVE-2016-5249 vulnerability allows an attacker who already has control of a limited account on a PC to execute malicious code via the privileged LocalSystem account. And the CVE-2016-5248 vulnerability allows any local user to send a command to LSC.Services.SystemService in order to kill any other process on the system, privileged or not.

Two-Factor Authentication service Duo Security reported earlier that third-party updating tools found on Dell, HP, Lenovo, Acer, and Asus (the top five Windows OEMs) are vulnerable to man-in-the-middle attack. Hours later, Lenovo, the world's largest Windows OEM by shipment figure, has issued an advisory in which it urges users to uninstall Accelerator Application, which comes preinstalled on many of its laptops and desktops models. Fortune reports: Specifically, as Lenovo said in an advisory notice, the auto-update feature in its Accelerator Application software can be exploited by a "man-in-the-middle attack" -- someone could get in between the computer and the server pushing out the updated software, fooling the computer into installing a fake version of the update instead of the genuine article. Such attacks can allow anything from surreptitious malware installation to the insertion of surveillance capabilities, or even the hijacking of PCs.

Reader itwbennett writes: Lenovo has made available a patch for the vulnerability in its Lenovo Solution Center, a support tool which comes pre-installed on many Lenovo laptops and desktops. The vulnerability could allow attackers to execute code with system privileges and take over computers. Users should automatically be prompted to update LSC when they open the application, but in case they aren't, they should download the latest version (3.3.002) manually from Lenovo's website. This is not the first time such a vulnerability has been found and fixed in LSC. In fact, Lenovo updated an old advisory for flaws reported in December with information about the new vulnerability, making it somewhat hard to spot.

itwbennett writes: "For the third time in less than six months security issues have forced Lenovo to update one of the tools preloaded on its PCs," writes Lucian Constantin. Last week, the company released version 5.07.0019 of Lenovo System Update, a tool that helps users keep their computers' drivers and BIOS up to date and which was previously called ThinkVantage System Update. The new version fixes two local privilege escalation vulnerabilities discovered by researchers from security firm IOActive.

New submitter execthis writes: Japanese broadcaster NHK is reporting that yet another privacy/security-compromising "glitch" has been found to exist in preinstalled software on Lenovo laptops. The article states that the glitch was found in Spring and that in late July Lenovo began releasing a program to uninstall the difficult-to-remove software. The article does not specify, but it could be referring to a BIOS utility called Lenovo Service Engine (LSE) for which Lenovo has released a security advisory with links to removal tools for various models.

An anonymous reader writes: The Next Web has confirmed reports from owners of Lenovo laptops that the company used a BIOS feature to install its software on the laptops even if a user wiped a device clean and reinstalled the operating system. "If Windows 7 or 8 is installed, the BIOS of the laptop checks 'C:\Windows\system32\autochk.exe' to see if it's a Microsoft file or a Lenovo-signed one, then overwrites the file with its own. Then, when the modified autochk file is executed on boot, another two files LenovoUpdate.exe and LenovoCheck.exe are created, which set up a service and download files when connected to the internet." Lenovo has published a patch to remove this functionality. The article notes that this technique seems to be sanctioned by a Microsoft policy. "Manufacturers are obligated to ensure that the mechanism can be updated if an attack is discovered and should be removable by the user, but the rules outlined in the document are fairly loose and don't require the OEM to notify the owner of the laptop that such a mechanism is in place."

An anonymous reader writes: "Lenovo today announced that it has had enough of bloatware. The world's largest PC vendor says that by the time Windows 10 comes out, it will get rid of bloatware from its computer lineups. The announcement comes a week after the company was caught for shipping Superfish adware with its computers. The Chinese PC manufacturer has since released a public apology, Superfish removal tool, and instructions to help out users. At the sidelines, the company also announced that it is giving away 6-month free subscription to McAfee LiveSafe for all Superfish-affected users.

HughPickens.com (3830033) writes "Reuters reports that the US Department of Homeland Security has advised Lenovo customers to remove "Superfish" software from their computers. According to an alert released through its National Cyber Awareness System the software makes users vulnerable to SSL spoofing and could allow a remote attacker to read encrypted web browser traffic, spoof websites and perform other attacks on Lenovo PCs with the software installed. Lenovo inititally said it stopped shipping the software because of complaints about features, not a security vulnerability. "We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns," the company said in a statement to Reuters early on Thursday. On Friday, Lenovo spokesman Brion Tingler said the company's initial findings were flawed and that it was now advising customers to remove the software and providing instructions for uninstalling "Superfish". "We should have known about this sooner," Tingler said in an email. "And if we could go back, we never would have installed this software on our machines. But we can't, so we are dealing with this head on.""

An anonymous reader writes It looks like Lenovo has been installing adware onto new consumer computers from the company that activates when taken out of the box for the first time. The adware, named Superfish, is reportedly installed on a number of Lenovo's consumer laptops out of the box. The software injects third-party ads on Google searches and websites without the user's permission. Another anonymous reader points to this Techspot article, noting that that it doesn't mention the SSL aspect, but this Lenovo Forum Post, with screen caps, is indicating it may be a man-in-the-middle attack to hijack an SSL connection too. It's too early to tell if this is a hoax or not, but there are multiple forum posts about the Superfish bug being installed on new systems. Another good reason to have your own fresh install disk, and to just drop the drivers onto a USB stick. Also at ZDnet.

jones_supa writes US Consumer Product Safety Commission reports that Lenovo is recalling a batch of laptop AC power cords due to fire hazard. The power cords have been bundled with IdeaPad brand B-, G-, S-, U-, V- and Z-series laptop computers and Lenovo brand B-, G- and V-series laptop computers. The recalled power cords are black in color and have the "LS-15" molded mark on the base of the IEC 60320 connector. The company seems to have been bitten by the exact same problem that HP faced this summer. Lenovo has set up an info page for affected customers.

SmartAboutThings writes If somehow you missed the reports of Lenovo buying Motorola – which was also bought by Google for $12.5 billion back in 2011 – then you should know that the deal is now complete. Lenovo has announced today that Motorola is now a Lenovo company — which makes Lenovo not only the number one PC maker in the world but also the third-largest smartphone maker.

Kohenkatz writes "Chinese PC maker Lenovo had a ceremony [Wednesday] to mark the official grand opening of their new manufacturing facility in Whitsett, North Carolina. The 240,000-square-foot facility, located approximately 10 miles east of Greensboro, NC, was already being used as a Logistics Center, Customer Solutions Center, and National Returns Center, and is now also being used for Production. While actual line operations began in January 2013, the facility is on track to reach full operation by the end of June. The facility is equipped to build several types of Think-branded products, including desktops, tablets, and ultrabooks. Note that due to the extensive use of automation, the factory only adds 115 manufacturing jobs at the facility."

bennyboy64 writes "In what may be one of the largest roll-outs yet of Microsoft's new Windows 7 Operating System, Australia's Federal Government decided to give 240,000 Lenovo IdeaPad S10e netbooks to Year 9-12 students. Officials are calling them 'unhackable.' iTnews reports that the laptops come armed with an enterprise version of the Windows 7 OS, Microsoft Office, the Adobe CS4 creative suite, Apple iTunes, and content geared specifically to students. New South Wales Department of Education CIO Stephen Wilson said that schools were 'the most hostile environment you can roll computers into.' While the netbooks are loaded with many hundreds of dollars worth of software, 2GB of RAM, and a 6-hour battery, the cost to the NSW Department of Education is under $435 (US) a unit. Wilson praised Windows' new OS: 'There was no way we could do any of this on XP,' he said. 'Windows 7 nailed it for us.' At the physical layer, each netbook is password-protected and embedded with tracking software that is embedded at the BIOS level of the machine. If a netbook were to be stolen or sold, the Department of Education is able to remotely disable the device over the network. Each netbook is also fitted with a passive RFID chip which will enable the netbooks to be identified 'even if they were dropped in a bathtub.' The Department of Education also uses the AppLocker functionality within Windows 7 to dictate which applications can be installed."

An anonymous reader writes "A recent Lenovo automatic software update has the great feature of displaying annoying pop-up ads for Lenovo products. What's worse, it appears that many users are unable to turn the advertisement 'feature' off, subjecting them to pop-ups every couple of hours. Gee guys, a note about your 20% off sale in my e-mail wouldn't have bothered me that much, but you really had to pop up over top of my PowerPoint slides? I'm sure that all of my office colleagues will be running to order ThinkPads ..."

An anonymous reader writes "Marking the start of news releases from this year's Consumer Electronics Show, Lenovo has dropped a major announcement on consumers - the arrival of a new line of notebooks. The IdeaPads will be the consumer-friendly companion to the ThinkPads. The announcement covers three notebooks, the 17" Y710, the 15" Y510, and the 11", 2.4lb U110. The IdeaPads will bring a number of firsts to Lenovo's notebooks, including a SSD upgrade option, dual hard drives (Y710 only), and a 17" notebook."

BBCWatcher writes "Lenovo just announced new ThinkPad T61 models preloaded with Microsoft Windows XP. Ironically they're called ThinkPad T61 'TopSeller' models. Lenovo says they're aimed at small and medium-sized businesses. The XP TopSellers are available immediately, and the part numbers are 6465-03U, 7658-04U, and 7664-06U (PDF links). "Lenovo recommends Windows Vista Business"? Not so much."