One of the world's largest PC manufacturers, Lenovo, has been caught out using what is essentially a rootkit below operating system level to ensure that factory software persisted on its laptops even after clean installs.
Earlier this month Lenovo revealed it was using an executable stored in the basic input/output system (BIOS) firmware that could not be removed in its consumer PCs.
Since the code was stored in firmware, it would activate and run on reboot without user interaction. An Ars Technica forum member discovered the BIOS on a Lenovo computer would check a file to see if it was from the PC manufacturer or Microsoft - if the latter, it would be deleted and replaced by a Lenovo one.
Once the Lenovo file was restored, it would run and establish an internet connection in plain text without TLS/SSL encryption, and download and install factory software even if users did not request it.
System data was also sent to Lenovo by the rootkit. This included the system unique identifier, type and model, the region it was set to, and the date. Lenovo said no personally identifiable information was gathered.
This feature is known as the Lenovo Service Engine, which was found by security researcher Roel Schouwenberg to be vulnerable to buffer overflow attacks and spoofing connections to the company's servers.
Lenovo issued BIOS updates for its consumer PCs in April to May this year, and last month posted security advisories for its notebooks and desktops which showed how to disable LSE and programs to remove the feature completely.
Users have to manually update their BIOSes to patch against the security flaw.
The PC maker used a Microsoft feature called Windows Platform Binary Table (WPBT) to run the program that downloaded its software.
This is a permanent table used by the Advanced Configuration and Power Interface management system in PCs, and provides an address to an executable file copied to physical memory from firmware, which in turn can be run by Windows.
A large range of consumer devices with manufacturing dates between October 23 2014 and April 10 this year are affected. Lenovo said none of its business Think range machines are affected by the LSE rootkit flaw.
LSE is no longer installed on Lenovo systems, the company said. It listed the full range of vulnerable systems that require updates.
In February this year, Lenovo caused global outrage after it was found to have been preloading notebooks with the Superfish adware that installed fake digital certificates, and which obtained full access to users encrypted Transport Layer Security sessions.
Lenovo was forced to apologise and urgently issue updates to remove Superfish from laptops, and was criticised by researchers for putting millions of users at risk of having their data intercepted in man-in-the-middle attacks.