Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Portables Privacy Security Your Rights Online

Yet Another Compromising Preinstalled "Glitch" In Lenovo Laptops 89

New submitter execthis writes: Japanese broadcaster NHK is reporting that yet another privacy/security-compromising "glitch" has been found to exist in preinstalled software on Lenovo laptops. The article states that the glitch was found in Spring and that in late July Lenovo began releasing a program to uninstall the difficult-to-remove software. The article does not specify, but it could be referring to a BIOS utility called Lenovo Service Engine (LSE) for which Lenovo has released a security advisory with links to removal tools for various models.
This discussion has been archived. No new comments can be posted.

Yet Another Compromising Preinstalled "Glitch" In Lenovo Laptops

Comments Filter:
  • "Those sites are backdoored and redirect a victim’s browser through iframes to a landing page hosting the exploit kit where a Flash exploit awaits."

    But can only be successfully exploited on Microsoft windows ..
  • by Anonymous Coward

    Are their PC's based on their laptops affected too? Stuff like the Idea Center?

    IMHO, Lenovo are a piece of shit, I have an ideacenter of theirs and it won't switch on unless you unplug the network cable and power, press 'on' a few times, them plug them back in and press on. This is just yet another reason I won't buy any of their kit, PC, Android, phone.

    And where exactly are the privacy laws ?: "The utility also sends non-personally identifiable system data to Lenovo servers"

  • Shitty article (Score:5, Informative)

    by buckfeta2014 ( 3700011 ) on Saturday August 22, 2015 @05:26AM (#50369023)
    Why even post this article. It's 2 lines. "Oh we found something", well good for you, how about telling us what you actually found?
  • Its a dumb feature (Score:5, Interesting)

    by Karmashock ( 2415832 ) on Saturday August 22, 2015 @06:54AM (#50369237)

    The last thing I want is my firmware getting updated automatically.

    I'd really like for all writable memory in my computer to be removable. And that includes the bios memory. Have it be a micro SD card or something.

    Here someone will say it will make the machine take 1 second longer to boot up or OH NOES the mobo will cost 10 cents more to make. But its worth it. It means you can audit the system to check for viruses really easily. You pull the chip, plug it into a clean system, and scan it. Or if you prefer... wipe it. Write the whole thing with ones then zeros... and then flash it with a proper version of the bios.

    And this also means that corrupted bios memory is less of a problem. You can pull the chip. Sure, if the processors or something else is damaged then this won't help. But i've had a few mobos that were totally fine except the bios was so corrupt you couldn't flash a fresh version. With this change, that problem is gone.

    Cue people saying "you can't do that because no one has done it that way yet"... climb a fucking tree so I can throw bananas at you then, you filthy animal! :-D

    • What I want way more than removable is I want bios write enable jumpers back. Some motherboards have them, but they are rare. I buy Gigabyte boards, so they have dual BIOS, so I'm not worried about my BIOS being taken out. If I had a WP jumper, I wouldn't be concerned about it being maliciously overwritten, either.

      • As soon as you put "removable" BIOS chips back, you have to provide physical access to that chip, you have to provide board space to mount it, it increases the price of the motherboard, and most important to security, it provides the possibility of corrupt vendor replacement of the BIOS chip with their _own_ socket replaced chip with only poweroff physical access, not console access to run the drivers or work with attached boot media.

        I'm not saying this is a greater attack vector: but it's one that has to b

      • by Agripa ( 139780 )

        The write protect jumpers were originally used because Flash memory at the time required an external high voltage supply for programming and the cheapest way to control this was through a physical jumper.

        I agree that controlling this through hardware is a good idea. The programming supply is no longer available for this but the write protect jumper could block the write strobe instead. Unfortunately some newer Flash memories do not have a separate write strobe either.

    • by wbr1 ( 2538558 )
      There were and maybe stillbare, enthusiast mobos with two BIOS chips. Fry one you could flash the other. Could also open up easy BIOS hacking or alt replacements.
      • There were and maybe stillbare, enthusiast mobos with two BIOS chips. Fry one you could flash the other.

        Gigabyte used to do that, but I'm pretty sure they just use one big bios chip now. If the first bios fails to load they just tie one address line high (or low, but I think it's high) and try to load again.

      • by Karmashock ( 2415832 ) on Saturday August 22, 2015 @07:57AM (#50369489)

        I want the want the writable memory chip to be a micro SD card. or something equally easy to plug into another machine to independently wipe it and verify that its wiped.

        Let me add some additional benefits of this... DRIVERS.

        If we use an SD card, then we can put more stuff on it than just the bios. OR the bios could be fucking massive. Either concept has some interesting possibilities.

        Imagine if the OS queried the motherboard for drivers. We could store viable copies of the drivers the system needs to use most of the installed hardware. That's nifty. Reinstall... no need to go hunting around for the right driver files. Automatically installed... actually. Not in theory... but actually. Anyone that has built a lot of machines knows what I'm talking about.

        And a giant bios could mean the bios could have a lot of additional functionality built into it. Not just the man behind the curtain.

        • by wbr1 ( 2538558 )
          And guess what... The preloaded in flash driver for our USB 3 controller includes.....ad blaster rootkit 2.0a
          • ... yes if you drivers are infected then you'll have infected your machine. But if you have version control and known good copies then you can negate the issue by overwriting everything with known goods.

            You can erase and verify the erasure of all writable memory, then write the known good bios and drivers.

            Make constructive comments please. Anyone can gainsay anything. You can gainsay water, air, the Sun...its not hard to do. Be constructive. Its the only potentially useful thing.

  • Covered on slashdot ten days ago:
    http://tech.slashdot.org/story... [slashdot.org]

    "Those who do not learn from history are doomed to repeat it" - Santayana

    E

  • ... it wasn't hidden well enough and somebody noticed.

  • Lesson to the wise: 1) Buy good, newish, used computers at a large discount off new prices and save money 2) Wipe the hard drive clean (or install a new one) 3) Install the OS of your choice (a Linux version is best) and save more money, and lastly, 4) Install whatever applications programs you want from a trusted Linux repository onto your hard drive and save even more money. End result: The only software residing on your "new" computer should be software that you want or don't mind having. Unfortuna

Beware of all enterprises that require new clothes, and not rather a new wearer of clothes. -- Henry David Thoreau

Working...