In our previous publication we mentioned the dangers of Lenovo's LSE program for protecting the user's personal data. Today we received the official announcement of the company through its representative on this issue.
We hereby notify you of Lenovo's official statement:
Between April and May, Lenovo released the new BIOS firmware for some of its consumer PCs, which did not include a security vulnerability that was discovered and came to light by an independent security researcher, Roel Schouwenberg.
In co-operation with Mr. Schouwenberg and in line with industry best practices for the protection of personal data, at 31 July 2015, we issued the Lenovo Product Security Advisories, which highlights the new BIOS firmware - especially for consumer notebook and Desktop.
Lenovo unreservedly recommends that users can keep their systems up-to-date with the latest BIOS firmware.
Starting in June, the new BIOS firmware has been installed on Lenovo's new consumer notebook and desktop systems.
The vulnerability was linked to Lenovo's use of the Microsoft Windows mechanism in a BIOS firmware called the Lenovo Service Engine (LSE) that was installed on Lenovo's consumer PCs. PC Think-brand was unaffected.
Together with this security researcher, Lenovo and Microsoft have discovered possible ways in which this program could be exploited by an attacker, including a buffer overflow attack and an attempt to connect to a Lenovo test server.
As a result of these findings, Microsoft released recently updated safety guidelines (see page 10 in the attached file) about how to best apply this Windows BIOS feature.
Registration in iGuRu.gr via Email
The use of Lenovo LSE was incompatible with these new guidelines. As a result, LSE is no longer installed in Lenovo's systems. Customers are particularly advised to update their systems with the new firmware BIOS that disables or removes this feature.
The LSE was shipped to some Lenovo notebook systems running Windows 7, 8 and 8.1, and desktop systems running Windows 8 and 8.1. The software is not preinstalled on any Think-branded PCs.