Lenovo IdeaPad Yoga 310x

Superfish adware effectively breaks secure HTTPS protocol on Lenovo computers.

[Update 2: Lenovo’s instructions for Superfish app removal can now be found here.]

Update: Lenovo CTO Peter Hortensius told The Wall Street Journal in an interview today that his company is working on a tool that will remove the Superfish software off of the company’s PCs.

“…we will provide a tool that removes all traces of the app from people’s laptops,” said Hortensius. “Once the app-wiping software is finished tonight or tomorrow, we’ll issue a press release with information on how to get it.”

Hortensius was adamant that the Superfish app has not done anything “nefarious” to Lenovo machines yet, but “…this was not something we want to have on [our systems].”

It will be interesting to see how and if the Superfish incident will impact Lenovo’s PC sales going forward — both from a financial standpoint as well as a reputation point of view. We’ll post additional updates as they arise.

Original Story: We’ve all had our experiences with bloatware that comes pre-installed on laptops and desktops, but Lenovo’s latest adware fail tops them all.

While news of the adware didn’t go wide until last night, it was discovered a few weeks ago that Lenovo has been installing adware on its consumer-oriented PCs out of the box for months, if not longer. The adware, called Superfish, activates as soon as a new Lenovo computer is turned on for the first time, and does as much without directly informing the user of its presence.

In a nutshell, Superfish is a data-seeking piece of middleware, analyzing your web searches and browsing history. This information is then used to curate third-party ads, which show up at the bottom of Google searches (or whatever engine a Lenovo owner might use). All of this is done reportedly without user permission.

But it gets worse. Not only does Superfish place ads you don’t want to see, but it also has a pre-installed trusted root certificate on the Lenovo machines in question. This “man in the middle” process allows Superfish to issue SSL certificates, which allows the software’s advertising to run even when you think a connection is secure via HTTPS.

SSL certificates are used to ensure secure computing when sensitive data is being accessed. (It’s what generates the little padlock icon if you have HTTPS enabled). In other words, SSL ensures that the Bank of America website you’re visiting is the actual bank website, and not a trap set up by a third party. Because Superfish adware on Lenovo machines has the ability to issue SSL certificates, and does so via a web proxy, a key is needed to issue the certificates. If that key is compromised (and it looks like it has been compromised), then hackers could potentially steal private information via your falsely secure site connection.

Uninstalling the adware will not kill the certificate, which needs to be removed manually.

But there’s some good news here as well. For starters, Firefox users aren’t compromised because the browser uses its own SSL certificate database. While Internet Explorer and Google Chrome are susceptible, chances are Google will push out a Chrome update that blocks the Superfish certificate.

Lenovo has stressed that its relationship with Superfish ended in January (see the statement here), but an unknown number of Lenovo machines could still be affected by the compromised admare.

Source: Y Combinator | Lenovo

You may also like