Lenovo laptops using rootkit-like techniques to install their software
-
Remember when Lenovo accidentally made their laptops trust a CA with a publicly known private key? Well, after that disaster they've moved on to newer, more sophisticated ways of compromising their systems.
I am getting a dialog box that pops up saying "Note: This is from the product itself and not from the network. To help you continue to upgrade system firmware and software [...] download and install the Lenovo system optimization software."
Before booting windows 7 or 8, the bios checks if C:\Windows\system32\autochk.exe is the Lenovo one or the original Microsoft one. If it is not the lenovo one, it moves it to C:\Windows\system32\0409\zz_sec\autobin.exe, and then writes it's own autochk.exe. During boot, the Lenovo autochk.exe writes a LenovoUpdate.exe and a LenovoCheck.exe file to the system32 directory, and sets up a services to run one of them when an internet connection is established.
And of course, this "helpful feature" has already been found vulnerable (gasp), and Lenovo has published an official update to disable it.
Lenovo, Microsoft and an independent researcher have discovered possible ways this program could be exploited by an attacker, including a buffer overflow attack and an attempted connection to a Lenovo test server.
(Of course, if I were paranoid I'd propose the possibility that the Chinese government had something to do with it and the vulnerability was not left there by accident.)
https://news.ycombinator.com/item?id=10039870
LSE uses the Microsoft Windows Platform Binary Table (WPBT) capability
http://download.microsoft.com/download/8/A/2/8A2FB72D-9B96-4E2D-A559-4A27CF905A80/windows-platform-binary-table.docx (archived version)
A rich set of tools exist to aid Windows provisioning, ranging from driver injection and offline registry management to sysprep imaging tools. However, there is a small set of software where the tools are not enough. The software is absolutely critical for the execution of Windows but for one reason or another, the vendor is unable to distribute the software to every provisioning entity. This paper describes a mechanism for a platform, via the boot firmware, to publish a binary to Windows for execution. The mechanism leverages a boot firmware component to publish a binary in physical memory described to Windows using a fixed ACPI table.
That's right, this is an officially supported Windows feature!
-
My work laptop is a Lenovo running Windows 8.1 and I don't have wpbbin.exe.
-
My work laptop is a Lenovo running Windows 8.1 and I don't have wpbbin.exe.
My Lenovo laptop doesn't even have
autochk.exe
....
-
@hungrier said:
My work laptop is a Lenovo running Windows 8.1 and I don't have wpbbin.exe.
My Lenovo laptop doesn't even have
autochk.exe
....I don't even have
ntoskrnl.exe
on my lenovo laptop....:-P
-
I will never understand why people buy Lenovo laptops.
-
-
That is actually 90% of the reason why I will never buy one.
-
Mine doesn't have one of those, and is fairly awesome. This kind of thing is never nice to hear, though.
-
@blakeyrat said:
I will never understand why people buy Lenovo laptops.
It's the nipples.
But the original poster was writing about the Y40-80, which has the "Barbie" keyboard.
-
Wow that laptop doesn't have the nipple and the function key is in the proper place. I wonder if I can get one of those keyboards to fit my T420 that I got for $200. Hmm wonder if that's why all those laptops were refurbed - the recent vulnerabilities.
-
>LSE uses the Microsoft Windows Platform Binary Table (WPBT) capability (archived version)
A rich set of tools exist to aid Windows provisioning, ranging from driver injection and offline registry management to sysprep imaging tools. However, there is a small set of software where the tools are not enough. The software is absolutely critical for the execution of Windows but for one reason or another, the vendor is unable to distribute the software to every provisioning entity. This paper describes a mechanism for a platform, via the boot firmware, to publish a binary to Windows for execution. The mechanism leverages a boot firmware component to publish a binary in physical memory described to Windows using a fixed ACPI table.
That's right, this is an officially supported Windows feature!
Windows : insecure by design
-
Right because firmware is so easily hacked.
-
-
Remember when Lenovo accidentally made their laptops trust a CA with a publicly known private key? Well, after that disaster they've moved on to newer, more sophisticated ways of compromising their systems.
Heck.. I wouldn't buy a Lenovo even when IBM owned them and my son could have got me a employee discount. Piece of junk IMHO..
-
What I don't understand is how anyone could trust them after the shit they pulled last time...
-
Mostly, for the hardware. At least in the Yoga series, it's pretty hard to beat.
-
Unless you have a hard-on for keyboard nipples, you can buy far better hardware from Acer. Dell's stuff is on-par. HP would be also if they didn't pack in tons of malware with the OS install.
-
What you're saying makes absolutely no sense. The Yoga 2 Pro has no nipple, and a better monitor than 98% of laptops.
-
Everything I say makes mega-sense. You can't perceive the sense because your sensory organs are too small.
Anyway, why would you buy a Yoga when you could buy a Surface?
-
Because I can't work on a laptop with a size below 13 inches. Otherwise I definitely would get a Surface.
-
The Yoga 2 Pro has no nipple, and a better monitor than 98% of laptops.
I love mine.
Though upgrading to Win10 killed 2-finger touchpad scrolling. Downloading a new driver from Lenovo fixed that.
-
At least in the Yoga series, it's pretty hard to beat.
Dell xps 15. I just can't buy it here...
The yogas have a low price/performance here.
-
upgrading to Win10 killed 2-finger touchpad
My Asus laptop "upgrades" my touch pad drivers daily, fucking the drivers, and all but "move the mouse" functionality. It's great!
-
My Asus laptop needs their custom drivers to support media keys and touchpad scrolling.
Despite the fact that those features have been common for how long, a decade? Probably more. And Windows (definitely 8, but most likely 7 too) definitely has built-in support for them.
I have to see this monstrosity every time I raise or lower the volume:
UPDATE: upon further inspection, the volume keys DO work if I kill all the Asus processes, but the default Windows volume indicator has been disabled somehow.
-
I have to see this monstrosity every time I raise or lower the volume:
And marketing gave that developer a big bonus! high-five counts, right?
-
I wish I had driver updates. Sony's drivers just simply stop working randomly, depending on which program is currently active. I've had to resort to using the touch screen sometimes because the mouse flat out disappears.
-
've had to resort to using the touch screen sometim
Fwp much?😝
driver updates
So do I. They do t really do anything, except break stuff.. 🙅
-
their custom
My volume keys works without drivers. (in both 10 and 8)
Trwtf is asus taking elans (already shitty - compared to synaptics) drivers and making them even worse. No scroll direction change, no ability to change multi click actions etc.
Under win 8 the elan driver could be coerced to work, under 10 it won't.
-
Why would you buy a Sony anything?
TO ADD TO TALES OF WOE:
After putting Windows 10 on my Acer, Windows was confident I had Bluetooth hardware and it was in working order. ALAS. It did not work until I reinstalled the Windows 8.1 driver from Acer's website. Works now though.
-
Could be worse. Windows thinks I have Bluetooth, but in fact I don't (anymore). Sure, it was part of the old Intel Wi-Fi card, but I replaced that ages ago (who has 802.11b installed by default?!), so by doing I have no more Bluetooth (new card only has Wi-Fi).