Lenovo has backtracked over the use a little known Windows BIOS trick that installs persistent software on the firm's systems without the consent of the user, even if they wiped their entire operating system to try and remove it.
The company has released patches to remove the software from a raft of its devices as the feature left systems open to attack and was "not consistent" with new guidelines put forward by Microsoft.
The tool in question was called Lenovo Search Engine (LSE) and it downloaded a program called One Key Optimiser used for "enhancing PC performance by updating firmware, drivers and pre-installed apps".
It took advantage of a feature in Windows called Windows Platform Binary Table (WPBT) that is intended to ensure "critical software" crucial to running Windows remains in place, even after the operating system has been wiped.
However, Lenovo was using this to ensure its own software would also install on the device, even if the user tried to remove it.
The BIOS of the computer was set to check the System32 boot up file on specific Lenovo systems. If only Microsoft files are present, the system overrides them to include specific manufacturer software.
Two files, LenovoUpdate.exe and LenovoCheck.exe, were then set up to download automatically as soon as the device is connected to the internet.
However, the set-up sends system data automatically to Lenovo by default and found to be vulnerable to attack by hackers. Lenovo said it was first warned of the issue by security researcher Roel Schouwenberg around April-May and it verified the flaws with Microsoft.
"Lenovo and Microsoft have discovered possible ways this program could be exploited in the Lenovo Notebook implementation by an attacker, including a buffer overflow attack and an attempted connection to a Lenovo test server," it added.
As a result Lenovo has now issued two security advisories to remove the software. The update for its affected desktop machines is listed as ‘low' severity but the Lenovo notebook security fixes is marked as ‘high' severity owing to a further vulnerability that could be used by an attacker to escalate system privileges.
Affected machines include the Yoga 3, Flex 2, Pro 15 and V3000 notebooks and the H, C and Horizon desktop ranges. However, its ThinkPad range is not affected.
Lenovo's urged users to install the updates as quickly as possible.
"[LSE] is no longer being installed on Lenovo systems. It is strongly recommended that customers update their systems with the new BIOS firmware which disables and/or removes this feature," the firm said.
Lenovo came under fire earlier this year for releasing hardware with a form of adware pre-installed called Superfish that collected data such as web traffic to push advertisements to users.
Lenovo's chief technology officer promised in February that the company would stop production of any adware-infected products.
'Notorious' Australian child hacker thought he had executed 'flawless' hack
The former employee says that Tesla fired him for bringing the accusations to management internally
Insecticides based on sulfoxaflor might be as bad for bees as neonicotinoids
Intel teases forthcoming new graphics card accompanied by the text "We will set our graphics free"