The only reason it's not an ongoing issue is that Lenovo just recently released an optional patch that removes the offending code. Why? As you might have guessed, forcing a PC to download programs on boot introduces a massive security risk -- attackers can spoof the server and install malware whenever you restart your computer. That's more than a little disconcerting, especially if you thought that Lenovo had already removed vulnerable software from your system.

Lenovo was technically in the clear. It was taking advantage of a little-known feature, the Windows Platform Binary Table, to insert the code. However, Lenovo's approach was largely unadvertised to users and "not consistent" with Microsoft's current security guidelines. You might not have known that Lenovo was loading this software in the first place, let alone that it created a security hole. While it's good to know that there's a fix, the discovery underscores the problems with letting PC vendors override core Windows functions -- in at least some cases, they're creating more problems than they solve.

Update: Lenovo has since released a statement, and notes that all systems made in June onwards have BIOS firmware that eliminates the vulnerability, and it's no longer installing Lenovo Service Engine (the problematic software) on PCs. If you have any Think-branded computers, they're already LSE-free.