Microsoft Warns Workaround Preventing Lenovo ThinkPad BSOD Increases Risk

An anonymous reader quotes ZDNet: Microsoft has finally published a support document detailing its workaround for the August 2020 Patch Tuesday update for Windows 10 version 2004 that caused blue screens of deaths (BSODs) on newer Lenovo ThinkPads and broke Windows Hello biometric login... It's the same as Lenovo's earlier workaround but comes with a stern security warning from Microsoft.

Microsoft also explains how Lenovo Vantage violates Microsoft's security controls in Windows.

Users might bypass the BSOD screen, but they are endangering their computers by implementing the workaround, according to Microsoft. The workaround also affects some of Microsoft's latest security features for Windows 10, such as Hypervisor Code Integrity for shielding the OS from malicious drivers, as well as Windows Defender Credential Guard. "This workaround may make a computer or a network more vulnerable to attack by malicious users or by malicious software such as viruses. We do not recommend this workaround but are providing this information so that you can implement this workaround at your own discretion. Use this workaround at your own risk," Microsoft states....

The good news for affected ThinkPad users is that Microsoft and Lenovo are working together on a fix. However, Microsoft hasn't said when that will be available.

was it Intel's fault?

[majorme]

"The issue occurred when Lenovo's Vantage app for updating hardware drivers attempted to use the Intel Management Engine to interface with firmware, which got blocked by the BIOS setting in the security update." I don't know what to make of this

It's Lenovo hacking

[raymorris]

If you want to assign "fault", it's Lenovo's fault.
Their software was bypassing the supported APIs to access hardware directly. The OS and hardware should prevent that - and eventually they did.

Re:

[transwarp]

I have a ThinkPad. The setting in Vantage to disable updates doesn't even work. As long as the service is running, it will install updates whenever it feels like it regardless of the setting. 3D driver updates in the middle of running a 3D application are not fun.

Re:

[arglebargle_xiv]

You can disable that PoS but it's a lot of work. First, set:

HKLM\Software\Policies\Lenovo\ImController\Plugins\GenericMessagingPlugin\Imc-Block = DWORD:00000001
HKLM\Software\Policies\Lenovo\ImController\Plugins\LenovoContextEnginePlugin\Imc-Block = DWORD:00000001

to disable the Vantage plugins, then disable the "System Interface Foundation V2 Device" which will prevent (disad)Vantage from running, then set:

HKLM\SOFTWARE\Wow6432Node\Lenovo\System Update\Preferences\UserSettings\Scheduler\SchedulerAb

Re:

[arglebargle_xiv]

"The issue occurred when Lenovo's Vantage app for updating hardware drivers attempted to use the Intel Management Engine to interface with firmware, which got blocked by the BIOS setting in the security update." I don't know what to make of this.

After passing it through my ever-handy Starfleet universal translator I'm getting either "Klingons off the starboard bough" or "I'm a doctor, not an escalator". Not sure which one it is.

Short summary

[raymorris]

Here's a short summary of the issue.
A basic tenet in software security is that all application access to the underlying hardware must go through the OS, via predefined APIs. Here's a simple example of why.

Suppose you set a file to be owned by Bob and only accessible to Bob.
Fred runs a program that directly accesses disk sectors.
Fred can then read or modify Bob's file, circumventing the permissions on the file.

Lenovo's software directly accesses PCI configuration without going through the documented OS API. It could, therefore, access data belonging to another application or user. Windows disallows this.

The work-around is to disable the protections, allowing application software to directly access PCI hardware. That makes the machine non-secure.

  Non-secure may be okay for your media player. It's very much not okay for my main work computer, which has access to all company secrets (authentication tokens etc). Judge for yourself whether a particular computer needs to be secure.

Re:Short summary

[Sin2x]

I'll make it even shorter: Lenovo are the bad guys here.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[photofan1984]

I wonder how many other major hardware manufacturers do these sort of workarounds that compromise OS security? Do they document them? Who wants to buy hardware that can may make your computers more vulnerable which makes it harder to protect the secrets of your company, your customers, and your third party partners?

Re:

[arglebargle_xiv]

Sometimes the reason for doing it is because stoopid, but other times it's because you have to bypass Windows because Microsoft has arbitrarily decided that you can do $this but not $that, I mean why would anyone ever want to do $that in the first place so we won't let you do it. In particular if your hardware has one or more fancy features and Windows doesn't recognise them or allow their use then you have to go via non-permitted-by-Microsoft channels to make things work.

Not sure whether that's the case

a better workaround would be

[FudRucker]

wipe windows off, install GNU/Linux on,
problem solved
/thread

Re:

[Nkwe]

wipe windows off, install GNU/Linux on, problem solved

The article says (and a prior post mentions):

"If a process tries to access PCI configuration space in an unsupported manner (such as by parsing MCFG table and mapping configuration space to virtual memory), Windows denies access to the process and generates a Stop error," Microsoft explains.

Under GNU/Linux if a privileged process attempts to access hardware in an unsupported way, ending up creating a known security problem, what happens? Does it create a kernel panic, or does it just ignore the situation? Is it even aware of this kind of situation?

Looks like Windows is aware of some of these situations and does something about it as default behavior (which can be disabled but Microsoft recommends against it for stated security reasons.)

Re:

[raymorris]

In general, the kernel would just return an error message to the application.

I can't really answer more specifically as to how Linux would respond to an application trying to call THIS Windows function in an unsupported way, because Linux doesn't *have* this specific Windows function. The Linux API to the IME is fundamentally different; in Linux all devices (and everything else) are files.

Re:

[e432776]

This is an interesting question. I think the Lenovo software in question might be Windows-only, so we may never know.

Re:a better workaround would be

[Shades72]

After reading the umpteenth 'Remove Windows, install Linux and be done with it"-style of comment, I was always of the mindset "Yeah, yeah we know already, blah, blah..."

However, about a year ago I bought a second hand laptop. Came with Windows 8. Microsoft insisted on putting Windows 10 on it and since then nothing but misery. After turning it on, you had about 30 minutes of the laptop functioning as you would expect. But after that it became very slow, responsiveness went to 0, closing the lid to make it go to sleep would often not work, 'waking up' was even worse.

Did a complete re-install of Windows 10. Same problems, only now it took about an hour before acting up. Got so fed up with it, I created a boot-able pendrive and ran a "live" instance of Pop!_OS 20.04. Not one problem.

Getting acquainted with the Pop!_OS interface wasn't much of an issue at all, 'sleeping' and 'waking' worked reliably, no hang-ups, remained responsive after opening a browser (FireFox) with 6 tabs, a terminal, creating a document in LibreOffice, having multiple instances of the file manager busy with copying stuff, while playing an audio file. Not a glitch for hours on end.

All that the Windows 8 version of the laptop could do as well. Yet when running Windows 10 I was happy if Firefox with just 2 tabs open would not bring the laptop down to a screeching halt.My 2 desktop PCs run Windows 10 and that won't change any time soon. But that laptop? It won't be using any version of Windows anymore. Pop!_OS is very pleasant to use and you must know I have worked with every version of Windows since 3.1 and enjoyed doing so with most of these.

Lenono no more

[groobly]

I've owned multiple Lenovo machines. Hardware failed miserably. Lenovo software was riddled with bugs. Lenovo support was terrible. The IBM laptop that preceded them, from 1999 (!) still works just fine (with 1999 software). Draw your own conclusion. I don't buy Lenovo products.

Re:

[lactose99]

Counterpoint: I own 8 Lenovo ThinkPads and 2 ThinkCenters, they all still work just fine.

Re:Lenono no more

[Nuitari The Wiz]

Counterpoint: I manage company wide IT, about 100 computers in all. Probably a total of 80 Lenovo laptops and desktops, a mix of whatever came out between now and 5 years. Always in the economy business lines and with non OEM upgrades. At most 4 hardware repairs across them over the years.

Since the earlier Lenovo debacle (that stupid wild card root certificate), its been SOP for us to just wipe the OEM install and start a fresh one from Microsoft media. We also do install and support Linux on request.

The worst are the Microsoft Surfaces. Frigging nightmares that can't handle the load of a Zoom meeting. Thankfully they have now all been retired (thank you COVID for that!!!).

Re:

[Rewind]

Though if you need to cook an egg after a Zoom meeting the Surface might be an excellent option! :)

Re:

[toddestan]

At work they switch between Dell and Lenovo. I find the Dell computers to have less problems and stability issue, less failures, and last longer than the Lenovo machines (though we'll see about the newer batches of Dells that now have sealed in batteries). On the other hand, the Lenovo machines are better designed, have better ergonomics, and have better screens and keyboards. For the most part, they put their own images on the machines that are free of Lenovo (and Dell's) crapware. Instead they put the

Microsoft endangering computers

[minorityreport]

The solution is to wipe Windows and install a Linux Distro.

Exaggerated

[MessageDrivenBean]

The text "Use this workaround at your own risk" is nowhere to be found on the Microsoft support page.

Re:

[Munchr]

The full quote "This workaround may make a computer or a network more vulnerable to attack by malicious users or by malicious software such as viruses. We do not recommend this workaround but are providing this information so that you can implement this workaround at your own discretion. Use this workaround at your own risk," appears on the ZDNET article itself, and is directly attributed to Microsoft by the articles author - Liam Tung. As you have pointed out, Microsoft has NOT said any of those words, no

Just ThinkPads?

[neuro88]

Is this only related to ThinkPads? I have had a Lenovo Legion 7i for about 1.5 months now, and when I updated to 2004... It definitely gave me trouble. Windows automatically rolled back the update... I immediately tried again and it worked. There's no biometric login on this laptop, but Lenovo Vantage is definitely a thing here.

As a side note, my primary OS is Linux, which works pretty great on this thing... Other than not being able to get sound from the speakers, which is kind of a big deal: https://bu [kernel.org]

Re:

[arglebargle_xiv]

Last I heard all drivers had to be submitted to Microsoft's WHQL testing process where, if/once greenlighted, it would be code signed by Microsoft so it could be installed by Windows machines. i.e.: if a driver is not signed by Microsoft WHQL it can't actually be installed. Does Microsoft no longer enforce this requirement, or did they just drop the ball (again)?

WHQL is still enforced, but why would you think something signed by Microsoft is non-malicious or free of security holes? They run some tests to make sure your driver probably won't blue screen the system, or at least can fake not blue-screening the system when run in WHQL test mode, and then let it in. That's all.