This time, the component is called the “Lenovo Service Engine (LSE)” and is built into BIOS. This feature launches after the machine is turned on and replaces Microsoft’s start-up diagnostics program with Lenovo’s version. The latter does all the same things as Microsoft’s, and two more: it makes sure that Lenovo’s own software update tools are still present on the PC or laptop and re-installs them if they were removed. Then the software update tools run to download and install drivers to keeping the machine up to date, along with other software preinstalled on Lenovo devices – the so-called “crapware”.
Like the earlier controversial feature, the LSE also provides almost no benefits to the end user: the software is buried so deeply into the system that it’s very hard to remove. And it also goes beyond annoyance, into pure security vulnerability: the researchers discovered how to use it to perform a “privilege escalation” attack. The latter would allow a hacker to gain greater control over a vulnerable machine.
So, Lenovo had to release updates to uninstall the LSE code, both for laptops and desktops. The company announced the release of Lenovo Product Security Advisories highlighting the new BIOS firmware. The computer manufacturer strongly recommended its users update their systems with the latest BIOS firmware. Lenovo also published a list of the affected models. It is known that no ThinkPad range of business machines was affected.
Shortly after that, Microsoft released new guidelines on how software like LSE should work, thus literally banning Lenovo from shipping it. Microsoft said that Lenovo’s use of LSE was not consistent with the updated guidelines and therefore cannot be installed on Lenovo systems any longer. Microsoft also recommended all users update their systems with the new BIOS firmware, which disables or removes LSE.
By the way, last time Lenovo promised to install no more bloatware on its devices. However, as the most recent problem shows, understanding of what exactly that entails varies.