Cybersecurity , Risk Management , Technology

Lenovo Promises: No More Bloatware

PC Maker Offers Clean Windows Builds, Full Transparency
Lenovo Promises: No More Bloatware

Lenovo, the world's largest PC manufacturer, has promised to stop preinstalling any software on its Windows laptops that doesn't need to be there in a move to provide "cleaner, safer" PCs.

See Also: Secure Access in a Hybrid IT World

"We are starting immediately, and by the time we launch our Windows 10 products, our standard image will only include the operating system and related software, software required to make hardware work well - for example, when we include unique hardware in our devices, like a 3D camera; security software; and Lenovo applications," Lenovo says in a Feb. 27 statement. "This should eliminate what our industry calls 'adware' and 'bloatware.' For some countries, certain applications customarily expected by users will also be included."

Microsoft has said that Windows 10 will ship "later this year."

Lenovo's move raises the possibility that other PC manufacturers might also cease preinstalling unnecessary software, which is often referred to as bloatware, trialware and junkware. "Hope others follow suit," tweets cybersecurity consultant Matthew Harvey at consultancy Anchor Technologies.

Many information security experts have been calling on all PC and mobile device manufacturers - including Lenovo - to give consumers the option of installing a "bare metal" - unadulterated - version of Windows. But the industry has long had financial incentives for not doing so. Lenovo, for example, confirmed that it had received payment from Superfish in return for preinstalling its adware, and security experts say such financial arrangements are common, and call into question any claims that such software gets preinstalled for consumers' benefit (see Time to Ban the 'Bloatware').

Superfish Fallout

Lenovo's announcement comes in the wake of it being heavily criticized for having preinstalled the Superfish Visual Discovery adware on many of its consumer laptops beginning in September 2014 (see Lenovo Slammed Over Superfish Adware). The company this week also saw its public-facing website get hacked by the group Lizard Squad in apparent retaliation for Superfish (see Lenovo Website Hijacked).

After information security experts began sounding warnings over vulnerabilities created by the adware, Lenovo this month responded, at first, by saying it had added Superfish to its Windows laptop client builds "in our effort to enhance our user experience." But Lenovo ultimately backtracked and promised to cease installing the adware after researchers documented how the Superfish software could be abused by attackers to monitor users' communications, and the U.S. Computer Emergency Response Team issued a related alert.

Lenovo also released a downloadable tool for removing the adware, as well as the risky root certificate that it installs, and began working with Intel Security - formerly McAfee, as well as Microsoft and Trend Micro, which all began classifying the adware as a malicious executable, and updating their anti-virus engines to quarantine and delete the software whenever it was found (see Lenovo Hits 'Kill Switch' on Adware).

Lenovo's chief technology officer, Peter Hortensius, also issued an apology, saying that the company had failed to do its due diligence before preinstalling the Superfish adware.

Lenovo Promises 'Bloatware' Ban

Now, however, Lenovo has promised to stop preinstalling all unnecessary software, as well as fully detail any add-on software that it does install. "Lenovo will post information about all software we preload on our PCs that clearly explains what each application does," it says. "And we will continuously solicit feedback from our user community and industry experts to ensure we have the right applications and best user experience."

Lenovo also says that within the next week, the owner of any Lenovo laptops on which Superfish was preinstalled will get a free six-month subscription - or for existing customers, extension - to McAfee anti-virus software.

Superfish was preinstalled on numerous consumer-oriented Lenovo PCs, raising the prospect that the adware might be present inside enterprises via any employees' BYOD systems. But Lenovo has emphasized that Superfish was not preinstalled on any of its business systems. "No ThinkPads, desktops, tablets, smartphones nor any enterprise server or storage product was impacted."


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network