Lenovo and the Superfish nightmare..
Sunday, February 22, 2015 at 7:39PM It's not too often that Lenovo gets dinged for making a bad decision. After all, Lenovo is the top supplier of PCs in the world, and it didn't get there through a series of mishaps. Nevertheless, Lenovo has come under fire for installing hidden software on its consumer laptop and desktop PCs that injects third-party ads on Google searches and websites. Even worse, Lenovo reportedly gave Superfish permission to issue its own security certificates, which allows it to hijack SSL/TLS connections to websites, also known as a man-in-the-middle attack.
Superfish is intended to help consumers find and discover products by analyzing images on the web. The visual search tool could allow you to look up an item you've stumbled upon but might not know the name of, or to find similar products that are perhaps more affordable.
Unfortunately, Superfish has been found to do more than it says. After users complained about it on Lenovo's forums, Lenovo social media program manager Mark Hopkins sought to extinguish the flames by telling users that Lenovo had removed the software, at least for now.
"Due to some issues (browser pop up behavior for example), with the Superfish Visual Discovery browser add-on, we have temporarily removed Superfish from our consumer systems until such time as Superfish is able to provide a software build that addresses these issues. As for units already in market, we have requested that Superfish auto-update a fix that addresses these issues," Hopkins said.
He went on to defend the software and tout its merits, though didn't address complaints that it's injecting its own self-signed certificates and intercepting web traffic, behavior that was confirmed on Twitter by a security engineer at Google.
BBC News spoke with security expert Prof Alan Woodward who described Superfish as being "like Google on steroids." He also said that people have shown it can intercept pretty much anything on the web.
"If someone went to, say, the Bank of America then Superfish would issue its own certificate pretending to be Bank of America and intercept whatever you are sending back and forth," Woodward said.
Users do have the option of declining the software when firing up their laptop or desktop for the first time, though according to The Guardian, some have complained that it installs anyway, and stays installed even if the software is uninstalled.
Thom McClain
Lenovo has released a tool to help users remove Superfish, according to a statement released today by the company.
Superfish is an adware program that was pre-installed on Lenovo's consumer PCs and made users vulnerable to attack. The Superfish bug quickly went from bad to worse yesterday when researchers found and published a password that would allow anyone to unlock the certificate authority and bypass the computer's web encryption. With the password and the right software, a person on the same Wi-Fi network as a bugged Lenovo user could potentially spy on that user, or insert malware into the data stream.
Users need to uninstall Superfish and remove the certificate
The tool allows users to automatically uninstall the Superfish application and remove the certificate from web browsers, which previously could only be done manually. In the statement, Lenovo said, "We are working with McAfee and Microsoft to have the Superfish software and certificate quarantined or removed using their industry-leading tools and technologies. This action has already started and will automatically fix the vulnerability even for users who are not currently aware of the problem."
Users with infected computers will need to uninstall Superfish and remove the certificate in order to completely fix the issue. Researcher Filippo Valsorda created this test to show if your computer is infected.
Superfish is present on Lenovo laptops sold between September 2014 and January 2015, although Lenovo says no Thinkpads were shipped with the adware.
Reader Comments