The operating systems Windows 8 and Windows 10 incorporate a feature that enables PC manufacturers to integrate a Windows executable in the system firmware. This executable can be extracted during the boot and started, allowing the manufacturer to install their own software even when a computer is “planed” and runs a clean installation.
If the majority of the OEM does not seem to make use of this feature, Ars Technica recently found that Lenovo has instead exploited between October 2014 and April 2015 to install a software in some of its desktop and notebook systems. This is the software Lenovo Service Engine , which performs different tasks depending on which is installed on a desktop or a notebook.
In the first case, the software collects only basic information (the model of PC, the geographic region, date and system ID) and sends it to the server Lenovo only the first time you connect the system to the Internet. The information collected should not allow any kind of user identification, even if the system ID is a unique code for each device.
When LSE is installed on a notebook, will install another application called OneKey Optimizer . It is a software that while addressing some useful activities, such as updating drivers, also performs other functions whose usefulness is rather dubious, as “optimization” of the system and “cleaning” file.
The problem, though, is that the Exchange and / or software OKO are not reliable, having shown a number of problems (such as buffer overflow and insecure network connections) that were disclosed to Lenovo and Microsoft in recent months by security researcher Roel Schouwenberg. Following the notifications received from Schouweberg, Lenovo has decided no longer to include in the new LSE systems (products on the market from June should no longer submit software) and has released a firmware update for both notebooks and for desktop.
Linked LSE, however, was discovered a problem even more annoying and affects unexpectedly operating system Windows 7 . In this case LSE apparently going to replace a system file of Windows, autochk.exe, running a disk check on startup. The fake autochk.exe creates system services that bring files on an HTTP connection is not encrypted.
The particulars Lenovo speak of can overwrite system files, but it is unclear how this can be done on Windows 7 as the ability to launch executables stored in the firmware is a feature included only in Windows 8 and then not it is not even clear why should overwrite a file system.
The main purpose of the boot capability of the executable firmware is designed primarily to be able to automatically install the software anti-theft solutions. This type of software does a number of things that require connectivity, such as communicate its position or allow the block to be remote. Since it is not uncommon for laptops see the hard deleted, the functionality is designed to allow you to restore the software anti-theft even after the cancellation of the disk and be able to report that the system was stolen.
It is the only technique that is used in the industry to inject into the operating system anti-theft solutions: for example in the case of one of the solutions most commonly used anti-theft, LoJack / Computrace, is used a piece of code that BIOS modifies the Windows system files, including autochk.exe. E ‘therefore possible that the LSE uses a similar technique when you boot you older operating systems such as Windows 7.
Only for anti-theft it is a sensible and useful feature that leaves in effect the owner of a system the decision to determine the appropriate level of protection in case of theft. LoJack / Computrace, for example, is normally present in the state “disabled” and requires user intervention to be made operational. Very different is the case of LSE: this is not a really useful software, shows security problems and, moreover, is enabled by default.
No comments:
Post a Comment