Lenovo Installed Software On Laptops That Persisted After Complete Wipes

An anonymous reader writes: The Next Web has confirmed reports from owners of Lenovo laptops that the company used a BIOS feature to install its software on the laptops even if a user wiped a device clean and reinstalled the operating system. "If Windows 7 or 8 is installed, the BIOS of the laptop checks 'C:\Windows\system32\autochk.exe' to see if it's a Microsoft file or a Lenovo-signed one, then overwrites the file with its own. Then, when the modified autochk file is executed on boot, another two files LenovoUpdate.exe and LenovoCheck.exe are created, which set up a service and download files when connected to the internet." Lenovo has published a patch to remove this functionality. The article notes that this technique seems to be sanctioned by a Microsoft policy. "Manufacturers are obligated to ensure that the mechanism can be updated if an attack is discovered and should be removable by the user, but the rules outlined in the document are fairly loose and don't require the OEM to notify the owner of the laptop that such a mechanism is in place."

Vendor-sponsored Malware

[gweihir]

What is the world coming to?" It seems, no matter how obviously bad an idea is, somebody has to try it.

Re:Simple, no malice from Lenovo

Because geeks want to maintain complete control over that sort of thing, and when the vendor takes that away it feels like they are crossing a line.

This emotional response shouldn't be hard to understand or predict. Lenovo should continue doing this, but should put public disclosures of this sort of thing in easy-to-find documentation so that geeks know about this going in, rather than discover it on the outside. That wouldn't hurt their sales at all but would palliate a lot of nerd rage.

Re:Simple, no malice from Lenovo

[Djoulihen]

The problem is that this feature mostly targets users who are trying to get rid of lenovo software. On a laptop you would normally restore your system or reinstall windows using the recovery partition which is full of vendor-added software. If you went through the trouble of installing a clean version of windows (by finding an OEM install of windows you can use your key with) it probably means that you expect your installation to be clean of any lenovo software. But guess what, you still end up with Lenovo software installed behind your back. I'm not saying there is absolutely no good reason to have the Lenovo software installed, but they could at least prompt you with a message like "We detected that you are running a fresh installation of windows, would you like to install our software to improve the performances of your computer and fix known hardware problems ?". Then it's your choice to go along with their software or handle the possible windows update mess yourself like a responsible geek.

Re:Windows Platform Binary Table

[mythosaz]

In short then, the summary is wrong.

Windows, not Lenovo, installs software on Lenovo laptops, by requesting the software from compatible hardware.

Re:Simple, no malice from Lenovo

[sociocapitalist]

When Windows auto-updates go horribly wrong, almost all users blame the h/w vendor, not Microsoft. So Lenovo uses this BIOS trick to protect their reputation. Why is this being depicted as malicious behaviour?

Do you work for Lenovo or are you just stoned?

This has nothing to do with protecting their reputation. This is a "We are installing really nasty spyware on your computer that you don't want and if you try and do a clean install we're going to install it again anyway".
http://www.ign.com/articles/20...

I will never buy a Lenovo product, nor recommend one to any of my clients.

Re:Simple, no malice from Lenovo

[Just+Some+Guy]

but they could at least prompt you with a message like "We detected that you are running a fresh installation of windows, would you like to install our software to improve the performances of your computer and fix known hardware problems ?"

Yeah, no. Because even then they're injecting unknown code into your otherwise pristine environment; that dialog ain't gonna display itself.

In the situation where the user has explicitly gone out of their way to install a clean OS, it's a fairly safe bet that they're expecting to boot into a clean freaking OS, not a "mostly clean except what the hardware vendor dicked around with" system. I don't want the Western Digital BIOS injecting a SATA driver update, or my keyboard injecting a keyboard driver update, or my laptop injecting a laptop driver update. If I'm capable of laying down a clean image, I'm capable of installing all that stuff myself if I want it.