I have not been a fan of Windows 8 and I was not enamored with Windows 10. With windows 8 persistent reliance on the cloud and Windows 10 even more so I had serious concerns about both operating systems. Microsoft has now really done the unthinkable and purposefully built in the ability to persistently compromise your machine being built into the Windows with the ability to modify the firmware persistently. If you are running Windows 8 or 10 your system isn’t your own. Microsoft has made it stupidly easy to do a takeover NSA style of your machine. There is no way to do this type of backdoor securely so you can bet there are many many machines out there that are already taken over and folks do not know it. You may see this as a chicken little post. If you do fine. I figured uefi was insecure and it has already been shown to have serious security vulnerabilities. We are now faced with an entire PC architecture that is designed to lock you out of your machine in terms of choice of operating system(secure boot) leveraging an insecure firmware platform(UEFI) with the world’s largest operating system vendor now purpose building bootkit abilities directly into it’s operating system. This is a gift wrapped data breach scenario for data thieves. The data breaches are just getting started folks. It is about to get much worse. How much worse? Keep in mind many “cloud” servers run UEFI firmware on their motherboards and many of them are converting to server 2012(which is really just win8 with a server interface). If the cloud has not gone boom for you yet, just wait. The time for it’s destruction is coming very quickly.
Lenovo has sold laptops bundled with unremovable software that features a bonus exploitable security vulnerability.
If the crapware is deleted, or the hard drive wiped and Windows reinstalled from scratch, the laptop’s firmware will quietly and automatically reinstall Lenovo’s software on the next boot-up.
Built into the firmware on the laptops’ motherboard is a piece of code called the Lenovo Service Engine (LSE). If Windows is installed, the LSE is executed before the Microsoft operating system is launched.
The LSE makes sure
C:\Windows\system32\autochk.exe is Lenovo’s variant of the autochk.exe file; if Microsoft’s official version is there, it is moved out of the way and replaced. The executable is run during startup, and is supposed to check the computer’s file system to make sure it’s free of any corruption.
Lenovo’s variant of this system file ensures
LenovoCheck.exe are present in the operating system’s
system32 directory, and if not, it will copy the executables into that directory during boot up. So if you uninstall or delete these programs, the LSE in the firmware will bring them back during the next power-on or reboot.
LenovoUpdate are executed on startup with full administrator access. Automatically, and rather rudely, they connect to the internet to download and install drivers, a system “optimizer”, and whatever else Lenovo wants on your computer. Lenovo’s software also phones home to the Chinese giant details of the running system.
To pull this off, the LSE exploits Microsoft’s Windows Platform Binary Table (WPBT) feature. This allows PC manufacturers and corporate IT to inject drivers, programs and other files into the Windows operating system from the motherboard firmware.
The WPBT is stored in the firmware, and tells Windows where in memory it can find an executable called a platform binary to run. Said executable will take care of the job of installing files before the operating system starts.
“During operating system initialization, Windows will read the WPBT to obtain the physical memory location of the platform binary,” Microsoft’s documentation states.
“The binary is required to be a native, user-mode application that is executed by the Windows Session Manager during operating system initialization. Windows will write the flat image to disk, and the Session Manager will launch the process.”
Crucially, the WPBT documentation stresses:
The primary purpose of WPBT is to allow critical software to persist even when the operating system has changed or been reinstalled in a “clean” configuration … Because this feature provides the ability to persistently execute system software in the context of Windows, it becomes critical that WPBT-based solutions are as secure as possible and do not expose Windows users to exploitable conditions.