Lenovo Installed Software On Laptops That Persisted After Complete Wipes

An anonymous reader writes: The Next Web has confirmed reports from owners of Lenovo laptops that the company used a BIOS feature to install its software on the laptops even if a user wiped a device clean and reinstalled the operating system. "If Windows 7 or 8 is installed, the BIOS of the laptop checks 'C:\Windows\system32\autochk.exe' to see if it's a Microsoft file or a Lenovo-signed one, then overwrites the file with its own. Then, when the modified autochk file is executed on boot, another two files LenovoUpdate.exe and LenovoCheck.exe are created, which set up a service and download files when connected to the internet." Lenovo has published a patch to remove this functionality. The article notes that this technique seems to be sanctioned by a Microsoft policy. "Manufacturers are obligated to ensure that the mechanism can be updated if an attack is discovered and should be removable by the user, but the rules outlined in the document are fairly loose and don't require the OEM to notify the owner of the laptop that such a mechanism is in place."

Simple, no malice from Lenovo

[jkrise]

When Windows auto-updates go horribly wrong, almost all users blame the h/w vendor, not Microsoft. So Lenovo uses this BIOS trick to protect their reputation. Why is this being depicted as malicious behaviour?

Re:

[Anonymous Coward]

You must be new here.

Re:Simple, no malice from Lenovo

[Impy the Impiuos Imp]

You must be newer. He was making a sarcasm.

Re:

[KatchooNJ]

Wish I had points today. :-)

Re:

[Anonymous Coward]

Because geeks want to maintain complete control over that sort of thing, and when the vendor takes that away it feels like they are crossing a line.

This emotional response shouldn't be hard to understand or predict. Lenovo should continue doing this, but should put public disclosures of this sort of thing in easy-to-find documentation so that geeks know about this going in, rather than discover it on the outside. That wouldn't hurt their sales at all but would palliate a lot of nerd rage.

Re:

[BronsCon]

That wouldn't hurt their sales at all

In fact, it would help their sales. Geeks love transparency. And if I know it's there and I know that MS dictates that it must be able to be disabled, I now have a reason to call them so they can make a sales pitch, as I'm sure they won't document how to disable it without a phone call.

Re:Simple, no malice from Lenovo

[Djoulihen]

The problem is that this feature mostly targets users who are trying to get rid of lenovo software. On a laptop you would normally restore your system or reinstall windows using the recovery partition which is full of vendor-added software. If you went through the trouble of installing a clean version of windows (by finding an OEM install of windows you can use your key with) it probably means that you expect your installation to be clean of any lenovo software. But guess what, you still end up with Lenovo software installed behind your back. I'm not saying there is absolutely no good reason to have the Lenovo software installed, but they could at least prompt you with a message like "We detected that you are running a fresh installation of windows, would you like to install our software to improve the performances of your computer and fix known hardware problems ?". Then it's your choice to go along with their software or handle the possible windows update mess yourself like a responsible geek.

Re:

[Anonymous Coward]

I'm not saying there is absolutely no good reason to have the Lenovo software installed, but they could at least prompt you with a message like "We detected that you are running a fresh installation of windows, would you like to install our software to improve the performances of your computer and fix known hardware problems ?". Then it's your choice to go along with their software or handle the possible windows update mess yourself like a responsible geek.

That is exactly what the software does, it doesn't install any bloatware, just a program that checks to see if said bloatware has been installed, and if it hasn't been installed it makes a nag popup to ask you to install it.

Re:Simple, no malice from Lenovo

[Just Some Guy]

but they could at least prompt you with a message like "We detected that you are running a fresh installation of windows, would you like to install our software to improve the performances of your computer and fix known hardware problems ?"

Yeah, no. Because even then they're injecting unknown code into your otherwise pristine environment; that dialog ain't gonna display itself.

In the situation where the user has explicitly gone out of their way to install a clean OS, it's a fairly safe bet that they're expecting to boot into a clean freaking OS, not a "mostly clean except what the hardware vendor dicked around with" system. I don't want the Western Digital BIOS injecting a SATA driver update, or my keyboard injecting a keyboard driver update, or my laptop injecting a laptop driver update. If I'm capable of laying down a clean image, I'm capable of installing all that stuff myself if I want it.

Re:

[LinuxIsGarbage]

or my keyboard injecting a keyboard driver update, or my laptop injecting a laptop driver update. If I'm capable of laying down a clean image, I'm capable of installing all that stuff myself if I want it.

As it is I get annoyed when Windows update tries to installed bloated Logitech drivers for my wireless Mouse / keyboard. They work fine as standard USB items, leave it that way!

I think it was the upgrade from Win8.0 to 8.1 that automatically installed bloated drivers from Logitech, and the shitty Synaptics drivers for my touchpad.

Re:

[Anonymous Coward]

When Windows auto-updates go horribly wrong, almost all users blame the h/w vendor, not Microsoft.

What the fuck are you talking about? Everyone, and I mean EVERYONE blames Microsoft.

Re:

[sociocapitalist]

When Windows auto-updates go horribly wrong, almost all users blame the h/w vendor, not Microsoft. So Lenovo uses this BIOS trick to protect their reputation. Why is this being depicted as malicious behaviour?

Do you work for Lenovo or are you just stoned?

This has nothing to do with protecting their reputation. This is a "We are installing really nasty spyware on your computer that you don't want and if you try and do a clean install we're going to install it again anyway".
http://www.ign.com/articles/20... [ign.com]

I will never buy a Lenovo product, nor recommend one to any of my clients.

Re:

[donaldm]

I have two HP laptops and except for changing the thermal paste on my gaming laptop I have never had any problems. I don't even get adds or annoying popups but then again I have never ran a Microsoft OS on them. My oldest laptop is over six years and still runs the latest version of Fedora (22) without any issues.

One policy I have always set is to turn off auto updates. So while I do see that updates are available I only manually update (GUI or command line although personally I prefer the command line) whe

Re:

[fph il quozientatore]

Two very good reasons: because they didn't tell their users, and because there is no way to disable it.

Re:

[donaldm]

Personally I have found dual booting is pointless since unless you really steel yourself you end up predominately using the Microsoft OS which for avid gamers this is still the best OS (debatable) to use since "Games for Windows" are designed to be run on a Microsoft OS. Of course you could use Wine but that is debatable as well.

If you require a Microsoft OS for your work the assuming the PC is belongs to your work then you have no choice although you may be able to run a Linux distribution in a virtual m

Vendor-sponsored Malware

[gweihir]

What is the world coming to?" It seems, no matter how obviously bad an idea is, somebody has to try it.

Re:

[meta-monkey]

You didn't think they were really going to let you own the thing you purchased from them, did you?

Re:

[gweihir]

Well, _I_ am capable of ripping out any and all crap they put in there, but most people are not. But it takes way too much time to do so, so I will not buy anything from them again without careful research.

Gigantic, gaping Lenovo-shaped hole

[kheldan]

Nevermind that in creating such a thing they've created a gigantic security hole in the hardware itself that an attacker could potentially use to make sure your computer is a permanent part of someones botnet!

Re:

[gstoddart]

Companies, and governments, who do this are too stupid/greedy/indifferent to care.

They want it for their purposes, and they simply don't give a damn if it can be used by someone else.

You can't have any mechanism which does this which isn't exploitable. But the people who decide to do this are only interested in their own needs.

Re:

[SlithyMagister]

Companies and governments are stupid/greedy/indifferent.

fyp
The purpose of a company is to move money from your pockets to its shareholders.
The purpose of government is to create laws that facilitate the flow.

Constitutions notwithstanding.

Re:

[hacker]

Nevermind that in creating such a thing they've created a gigantic security hole in the hardware itself that an attacker could potentially use to make sure your computer is a permanent part of someones botnet!

You think that wasn't the whole point to begin with? A remotely activated sleeper that sits on everyone's Windows machine at boot, and can run any executable dropped on the filesystem, silently and at every boot? The .gov is probably wringing their hands at the possibilities. Seriously. They're already doing it on phones, why not on everyone's personal computers as well?

Fuck Lenovo

[bazmail]

Never buying from that company again and will, in my capacity as family tech support guy, ensure that nobody in my family buys one. Wow. That company cannot die quick enough.

Re:

[XanC]

All these issues have been with the "consumer"-grade cheap laptops which have always been garbage, right? I don't think any of them have happened on Thinkpads.

Re:Fuck Lenovo

[Lumpy]

Yep My Thinkpad X250 has this and there is a bios update to fix it.

Re:

[XanC]

Gross. :-(

Re:Fuck Lenovo

[Baloroth]

Really? Because literally everything I've seen about it says none of the Think series are affected in any way. None of the thinkpads are listed on Lenovo's download page (and in fact the initial advisory [lenovo.com] specifically states none of the Think-branded laptops are affected).

Re:Fuck Lenovo

[kthreadd]

Yep My Thinkpad X250 has this and there is a bios update to fix it.

Which update are we talking about? The README for the latest BIOS update [lenovo.com] for the X250 (July 7) does not mention anything like this as far I can see.

Windows Platform Binary Table

[jones_supa]

This is actually a mechanism called Windows Platform Binary Table (WPBT).

More information can be found in the Microsoft WPBT whitepaper [microsoft.com]:

"This paper describes the format of a Windows Platform Binary Table (WPBT). The WPBT is a fixed Advanced Configuration and Power Interface (ACPI) table that enables boot firmware to provide Windows with a platform binary that the operating system can execute. The binary handoff medium is physical memory, allowing the boot firmware to provide the platform binary without modifying the Windows image on disk. In the initial version, the WPBT simply contains a physical address pointer to a flat, Portable Executable (PE) image that has been copied to physical memory. The WPBT is extensible, allowing the layout of published platform binaries to be more complex in future versions and allowing the support of more than one binary type.

It is expected that the binary pointed to by the WPBT is part of the boot firmware ROM image. The binary can be shadowed to physical memory as part of the initial bootstrap of the boot firmware, or it can be loaded into physical memory by extensible boot firmware code prior to executing any operating system code. A boot firmware component would create the WPBT based on the location of the platform binary. During operating system initialization, Windows will read the WPBT to obtain the physical memory location of the platform binary. In the first version, the binary is required to be a native, user-mode application that is executed by the Windows Session Manager during operating system initialization. Windows will write the flat image to disk, and the Session Manager will launch the process. Windows may reclaim the physical memory described in the WPBT.

If Windows observes a WPBT during operating system initialization, it will attempt to use an ACPI control method to communicate binary execution status back to the platform."

Re:Windows Platform Binary Table

[mythosaz]

In short then, the summary is wrong.

Windows, not Lenovo, installs software on Lenovo laptops, by requesting the software from compatible hardware.

Re:Windows Platform Binary Table

[MobyDisk]

Both are to blame because there are 2 distinct problems here:

1. Microsoft trusts BIOS firmware enough to allow it to install arbitrary software on the machine.
2. Lenovo BIOS miuses the feature to install crapware.

We would not be complaining about #1 if Windows required user confirmation before doing this.
We would not be complaining about #2 if Lenovo was installing a fix for a video driver that they knew caused lock-ups on their hardware.

Technically though, the BIOS could probably do this even without Microsoft's help, although it would be much tougher to implement.

Don't trust the BIOS?

[Immerman]

Um, honestly I have a hard time getting upset over #1. If you can't trust the BIOS - the software that by its very nature has unrestricted access to every aspect of your computer and is responsible for loading the OS itself, then you're already screwed. Full Stop.

#2 on the other hand.... yeah, that's pretty much evidence that we can't trust the BIOS. See my previous point.

As for
>We would not be complaining about #2 if Lenovo was installing a fix for a video driver that they knew caused lock-ups on thei

Re:

[MobyDisk]

Yeah, if you don't trust the BIOS then you are not in good shape.

Yes, we would. We very much would. Such a "fix" would almost certainly end up locking you into one particular driver version, "helpfully" rolling back any newer driver you installed to fix additional issues/a

That's a strawman attack. I specifically said "installing a fix for a video driver that they knew caused lock-ups." You changed my scenario to "overwriting the video driver blindly" then attacked that scenario.

Re:

[MobyDisk]

You hit the nail on the head. This is about perspective. In one case the owner doesn't want software surreptitiously installed, but in another case the owner does want software surreptitiously installed.

Re:

[Rob Riggs]

Interesting. Does the UEFI BIOS need to be signed or can anyone update the BIOS and install their own persistent root kit?

Re:

[mythosaz]

The binary itself (loaded from the WPBT) needs signed with and is inspected by Signtool.

Re:

[Rob Riggs]

Cool tool to have at one's disposal during the prelude to a cyberwar. (The key players in any likely cyberwar all have the ability to sign anything they desire.)

China ...

[gstoddart]

Sorry, but this is what happens when you let a country under the sway of a totalitarian government build you computers.

However, as almost every other government more or less demands the same thing ... this as the new normal.

You can (and should) be outraged. But the fact that governments want back doors for everything is pretty clear.

I see this as precisely no different from the US tapping the telecom systems of other countries. People claim it's their right, and then get all freaked out when someone else

Re:China ...

[0123456]

Sorry, but this is what happens when you let a country under the sway of a totalitarian government build you computers.

But isn't Lenovo based in China these days, not America?

Re:

[rogoshen1]

holy god, talk about going off on a tangent. Tell me your thoughts on the NSA and FBI please

Re:China ...

[Anonymous Coward]

Tell me your thoughts on the NSA and FBI please

Do NOT buy an NSA or FBI laptop.

Re:

[buck-yar]

Most of the time I roll my eyes at tangents, but with how few people care about the NSA issue, I support this one.

Re:

[Mal-2]

holy god, talk about going off on a tangent. Tell me your thoughts on the NSA and FBI please

They're trying to close the gap with CIA, but they are not yet full up to speed on having big guys (nobody cares who they are until they put on the mask) crash their operation with no survivors.

Re:

[rogoshen1]

this is the first time i've seen bane posting on Slashdot.. Thank you, made my day :)

Re:

[macs4all]

Sorry, but this is what happens when you let a country under the sway of a totalitarian government build you computers.

I didn't know that Lenovo was built in the U.S.A.

Re:

[tepples]

Even if not, the USA is under the sway of the allegedly totalitarian Kingdom of Saudi Arabia. If it weren't for USA's energy imports, its foreign policy makers might have been less likely to overlook rampant Saudi discriminatory treatment of women.

Not sure if Google abandoned Lenovo...

[__aaclcg7560]

When I briefly worked inventory in 2008, Google management was thinking of abandoning Lenovo laptops as they kept finding backdoors for Chinese hackers in the BIOS. Not sure if they ever did. On the few contract assignments I've done for Google since then, everyone I worked with had a MacBook Pro laptop.

Re:

[Anonymous Coward]

When I briefly worked inventory in 2008, Google management was thinking of abandoning Lenovo laptops as they kept finding backdoors for Chinese hackers in the BIOS. Not sure if they ever did. On the few contract assignments I've done for Google since then, everyone I worked with had a MacBook Pro laptop.

I am beginning to suspect that there is a Chink in the security of these devices.

*#^@@^ dirty Philistine assholes!

[Thud457]

Pretty sure the Bible doesn't say racism is a sin.
Hell, it's a main purveyor.

The good Samaritan

[tepples]

Jesus's definition of the scope of "love your neighbor" through his illustration of the good Samaritan is plenty anti-racist.--Luke 10:25-37.

Re:

[cfalcon]

I've never heard of any drama with Dell, besides their bloatware. But that's removable or reinstallable.

Re:

[Carewolf]

Google is the same today. Almost everyone is either on a chromebook or a macbook pro.

Nobody with a sound mind runs dell, HP, or lenovo.

No one with a sound mind uses an Apple device or _can_ use a chromebook. The news on for instance Ars today is that they want PCs to adopt the same persistenting software Apple devices have where they reinstall OS X even after you wiped it completely from the system. This story is almost deja vu.

Re:

[flopsquad]

The news on for instance Ars today is that they want PCs to adopt the same persistenting software Apple devices have where they reinstall OS X even after you wiped it completely from the system.

If it's the "undeletable" OSX partition you're talking about, it's doable (have completely wiped a MBP drive and reinstalled fresh). Pain in the ass, but doable.

If it's a BIOS thing like TFS, I got no dukes. Wouldn't be surprised, though.

Re:

[__aaclcg7560]

http://www.theregister.co.uk/2013/07/29/lenovo_accused_backdoors_intel_ban/ [theregister.co.uk]

I don't see a problem...

[buckfeta2014]

... as long as it's constrained to only device drivers. That way we're not stuck, especially considering people are ditching optical drives.

Re:

[tepples]

How would one get stuck? Connect USB flash drive containing the operating system installer to USB port, connect a second flash drive containing additional drivers if necessary to second USB port, and reinstall.

Re:

[tepples]

How is this any different from "I lost my drivers CD"?

Details missing...

[ad454]

When does the bios install the files, at boot time, or when the OS is running?

If at boot, this should require bios drivers for read+write ntfs filesystem support in order to know where in the primary drive the bios needs to install the files, which means the bios can hold a much larger amount of storage then expected.

If when the OS is running, this opens up the potential for many new scarier exploits and backdoors, even for a more secure OS with different file systems, such as Linux or *BSD, beyond just storage, such as memory and network access.

Does this still work with FDE (Full Disk Encryption), such as bitlocker, truecrypt, bestcrypt, pgpdisk, etc.?

effort required

[rewindustry]

RTFA, numbnuts.

Re:

[tlhIngan]

When does the bios install the files, at boot time, or when the OS is running?

If at boot, this should require bios drivers for read+write ntfs filesystem support in order to know where in the primary drive the bios needs to install the files, which means the bios can hold a much larger amount of storage then expected.

If when the OS is running, this opens up the potential for many new scarier exploits and backdoors, even for a more secure OS with different file systems, such as Linux or *BSD, beyond just sto

Re:

[wbr1]

It is windows doing during windows boot. The BIOS puts a binary into RAM at a set address, Windows reads it and injects it into the boot sequence. This is normal windows behavior (however stupid or needed it is).

Scarier to me is that instead of basic driver/ACPI junk Lenovo is apparently using it to download and install MORE executables onto the PC. This is rootkit behavior.

Licensing agreement

[LoyalOpposition]

"If Windows 7 or 8 is installed, the BIOS of the laptop checks 'C:\Windows\system32\autochk.exe' to see if it's a Microsoft file or a Lenovo-signed one, then overwrites the file with its own.

Since this doesn't require my agreement, then does that mean I'm unrestricted as to what I can do with it? Namely, reverse compiling, distributing, etc?

~Loyal

Re:Licensing agreement

[msauve]

It should mean that Lenovo gets prosecuted for violation of the CFAA [wikipedia.org]:

knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;

Deliberately replacing a file I've installed with one of their own sure seems like intentional damage to me.

Re:

[American Patent Guy]

Good luck convincing a judge of that...

The root problem

[Macdude]

The root problem is the people who design a feature to allow code to persist through a wipe and don't see that as a huge security hole!

Security is simple is you care about it, things like a BIOS update shouldn't be possible without a physical action by the user. For example a jumper on the motherboard has to be installed during the boot (which can easily be extended to a button on the case) which would look for a specific file in a specific location and update the bios after confirming on screen with the user. The jumper would then have to be removed prior to the system booting normally.

Any feature that a good application can use to update your system, a bad application can use as well. To use a car analogy, a security "feature" that lets you unlock your car if you've lost your keys (which sounds useful on its face) - also allows a bad guy to unlock your car.

Re:

[Cinnamon Beige]

Those who don't learn from history are doomed to repeat it.

We used to have BIOS jumpers. Then system admins wanted to be able to run a BIOS update across whole companies. The BIOS is very rarely comprised compared to the amount of updates it receives, so it was a good trade off.

The better solution might be to minimize BIOS updates as well as some special process involved in activating access to the BIOS--not necessarily resetting jumpers but something that requires an act from a human being.

Lenovo Installed Software Making Laptops Vulnerabl

[VideoTurkiye Net]

Lenovo Installed Software Making Laptops Vulnerable to Hacking: Experts videoturkiye.Net http://www.videoturkiye.net/le... [videoturkiye.net]

It could be worse...

[mandark1967]

They could be loading Adobe Flash

Viruses

[MakersDirector]

Back in 2011, I had a virus which persisted on my Blackberry after a full factory reset and clear. Nasty little bugger, also infected my Kindle, my wireless smart monitor and xbox, and a SecureRom bios secured machine. Sliced through it all like butter, and reinstalled itself even after full wipes.

I now carry only a laptop. No cell phones. No nothing. That kind of trouble's just too much for me.

More security means less security ..

[nickweller]

So, in this case, adding a security feature means opening the machine up to third party hacking.

No need for Thunderstrike if you buy a Lenovo

[macs4all]

The Malware's baked-in-goodness from the factory!

Correction

[JustAnotherOldGuy]

"Lenovo Installed Malware On Laptops That Persisted After Complete Wipes"

FTFY

Very Accurate Planned Obsolence

[A non moose cow]

This will be used by at least one manufacturer to implement gradual device failure shortly after warranty.

Re:

[MagickalMyst]

Linux also has a GUI available. Many [howtogeek.com], in fact.

Also, command line is not difficult to learn or use; and it is incredibly powerful.

As for being evil.. command line is about as evil as a swiss army knife. It is the person using the tool who decides whether or not to use it for good or evil; not the tool itself.

The only thing close to evil here is the persistent "malware" (imho) that Lenovo is pushing on their systems.

Re:

[Lumpy]

Ubuntu's shoveling adverts at you at every angle is pretty scummy.

Re:

[MagickalMyst]

Agreed. All unsubscribed adverts are scummy.

Re:

[chipschap]

I agree, but I have the choice to use a different distro, and I do.

Still Ubuntu is nothing--- absolutely nothing--- compared to the steaming pile on a machine I just got from HP, which came with windows 8.1 preloaded.

For years, the sole windows installation I had on any machine was XP SP3. I can't believe how much worse windows has become over the years. Incredible levels of protection to make it hard to uninstall the crapware. Nagging pop-ups. Malware susceptibility (the computer had McAfee pre-installed,

Re:

[Immerman]

It seems you forgot the first rule of Windows - never use the even versions. Microsoft even went out of their way this last time and skipped version 9 in order to maintain consistency.

Re:

[Zontar The Mindless]

As I've been saying for the past 6 or 7 years: Sensible folks don't use Ubuntu.

(I never have, and never will.)

There are only about 50 other "major" distros out there to choose from. And hundreds of lesser ones.

Re:

[serviscope_minor]

As I've been saying for the past 6 or 7 years: Sensible folks don't use Ubuntu.

Why not? I use ubuntu daily on my laptop. I also run an ubuntu based cluster, and I've used plenty of AWS instances with ubuntu. I've never had adverts shovelled at me and it seems to work very well.

Shopping lens

[tepples]

Ubuntu Server, Kubuntu, and Xubuntu don't have the "shopping lens" that Ubuntu Unity has.

Re:

[cbhacking]

Unfortunately, for those who like KDE, Kubuntu is a colossal pile of poorly-configured and untested crap. It's been that way for years, and they don't care. The current LTS release, for example, has a problem with Akonadi, which means that KDE's PIM (Personal Information Manager) doesn't work, which means stuff like kmail won't run. I don't know what's actually wrong with it - it complains about a file not existing, when that file totally does, in fact - but it's an impressive example of how little of a fuc

Re:

[techno-vampire]

I'm with Zontar on this one: don't use Ubuntu. Unless you specifically want Unity, there are better options.

It didn't take more than five minutes for my older sister to decide that she wanted Linux, not Windows, so we downloaded and installed Ubuntu. This was before they went to Unity, and all was well. It didn't take her long to decide that she didn't want to fight with Unity because Unity and Parkinson's don't go well together so I migrated her across to Xubuntu, and she's been happy with it ever sin

Re:

[serviscope_minor]

Ubuntu Server, Kubuntu, and Xubuntu don't have the "shopping lens" that Ubuntu Unity has.

Ah, well, I never use unity anyway. I always install FVWM, get my config from github and off I go.

Re:

[macs4all]

Also, command line is not difficult to learn or use; and it is incredibly powerful.

Whoosh!

Re:

[donaldm]

At least Lenovo gives you a GUI with Windows 8. On EVIL COMMAND LINE LINUX you're stuck with bad evil hard-to-use command lines. You should be thankful that Lenovo gives you this extra software as a bonus instead of forcing you to use an EVIL command line!

The troll is strong with this one or is this sarcasm.

Re:

[Penguinisto]

Wiped, hell - this rig looks like you could replace the entire hard drive, install Windows, then the BIOS (or is it EFI?) injects its crap in anyway.

Not like *that* would never be abused by the first script kiddie to notice it...

LoJack for Laptops does this...

[mlts]

It isn't just Lenovo. On most major brands of PC laptops, there is a BIOS setting that once set, can't be unset, which either enables LoJack for Laptops permanently, or permanently disables it. If it is set, it will always load the LoJack executables when Windows is installed, even if the hard disk is blank and the install media is clean.

Of course, this is a mechanism that can be both used for good or ill... I wouldn't be surprised to see BIOS attacks that allow an attacker to flash a Trojan dropper which will always be present even on a reinstall with the only fix being either a firmware upgrade (if the attacker didn't already block that), or replacement hardware. The only real way to prevent it is to virtualize everything, with the bare metal OS as thin as possible [1].

[1]: Would be nice to see something like VMWare ESXi, except with the ability to use the console graphically, one step up from a dumb terminal.

Re:Lenovo

[MachineShedFred]

... install Windows ...

I think I just found how to fix it. Don't install Windows!

Re:

[Z00L00K]

What if Windows is installed in a non-standard path? Will this BIOS tool still be able to inject the stuff?

Re:

[davester666]

trick question. Windows only installs on a standard path.

Re:

[JonathanR]

Just run Windows under a VM on top of some *nix.

Re:

[flacco]

> I think I just found how to fix it. Don't install Windows!

The solution to so many life's problems.

Re:Lenovo

[fuzzyfuzzyfungus]

On the plus side, the script kiddie might have a somewhat tricky time of it. On the minus side, if the OEM doesn't cave, or is actively hostile, you are also going to have a nasty time of it.

Suitably recent Intel CPUs [intel.com] have 'Intel boot guard'(Just above the middle of page 4). Apparently, in practice, basically all the vendors ship in 'Verified boot' mode. Their public key is fused in to the silicon at the factory; and if the appropriate private key wasn't used to sign the firmware, no dice.

The 'measured boot' capability is a bit more interesting; but largely moot because nobody uses it. I wouldn't put it past an OEM to somehow screw this up; but all reasonably contemporary laptops are not going to take kindly to 3rd party firmware.

Re:

[omnichad]

Does that mean you can't buy a used Intel CPU and put it in a different brand's computer? Or does this only apply to laptop CPUs that are soldered in.

Re:Lenovo

[adamstew]

This has little to do with Intel CPUs and everything to do with Intel Chipsets. The CPUs are interchangeable, but the chipsets on the motherboard are not. It's the chipset that is fused with the manufacturer's public key. The chipset then verifies the FIrmware/EFI/BIOS software.

Re:

[macs4all]

Not like *that* would never be abused by the first script kiddie [^h][^h][^h][^h][^h][^h][^h][^h]Government Agency to notice it...

FTFY.

Re:

[GuB-42]

According to the patch notes, it seems that Thinkpads are not affected. In face, even though Thinkpads are made by Lenovo, they can almost be considered a separate brand, closer to its IBM roots than to the other Lenovo's products.

Additionally, workstation-class laptops mostly target professional users that use whatever OS is needed for the job, and it is often Windows. Sometimes, if it is a company policy, you don't even have the choice.

Re:

[phayes]

The patch notes lie. Thinkpads are affected too.

Re:

[kthreadd]

Can you point to any information on that? Would be interesting to see a list of affected models.