In our previous publication we reported on the risks posed to the user's personal data protection by its LSE program Lenovo. Today we received the official announcement of the company through its representative on this specific matter.
We hereby notify you of Lenovo's official statement:
In the April-May period, Lenovo released new BIOS firmware for some of its consumer PCs, which did not include a security vulnerability discovered and brought to the surface by an independent security researcher, Roel Schouwenberg.
In co-operation with Mr. Schouwenberg and in line with industry best practices for the protection of personal data, at 31 July 2015, we issued the Lenovo Product Security Advisories, which highlights the new BIOS firmware - specifically for consumer Notebook and Desktop.
Lenovo strongly recommends that the users can keep their systems updated with the latest BIOS firmware.
Starting in June, the new BIOS firmware has been installed on Lenovo's new consumer notebook and desktop systems.
The vulnerability was linked to the way Lenovo uses the Microsoft Windows engine in a feature found in the BIOS firmware, called Lenovo Service Engine (LSE), which was installed on some Lenovo consumer PCs. PC Think-brand was not affected.
Together with this security researcher, Lenovo and Microsoft discovered possible ways that this program could be exploited by an attacker, including a buffer overflow attack and an attempt to connect to a Lenovo test server.
As a result of these findings, Microsoft released recently updated safety guidelines (see page 10 in the attached file) about how to best apply this Windows BIOS feature.
The use of Lenovo LSE was incompatible with these new guidelines. As a result, LSE is no longer installed in Lenovo's systems. Customers are particularly advised to update their systems with the new firmware BIOS that disables or removes this feature.
The LSE was shipped to some Lenovo notebook systems running Windows 7, 8 and 8.1, and desktop systems running Windows 8 and 8.1. The software is not preinstalled on any Think-branded PCs.