Lenovo admitted it blundered by pre-installing Superfish adware on some of its consumer laptops from last September to December, opening an uber-invasive superhighway for attackers to steal users’ encrypted Web data or stored online passwords.

DH Kass, Senior Contributing Blogger

February 20, 2015

3 Min Read
Lenovo Gambles User Trust with Superfish Security Blunder

After years of seemingly doing everything right, Lenovo surprisingly stepped in a big pile of you-know-what, pre-installing Superfish adware on some of its consumer laptops from last September to December and opening an uber-invasive superhighway for attackers to steal users’ encrypted Web data or stored online passwords.

Really? In this age of heightened invasive attacks and ramped up security concerns, Lenovo gambled user trust? The company astonishingly claimed it didn’t know that the Superfish adware is constructed to hijack encrypted Web sessions and exposes users to HTTPS man-in-the-middle attacks, as many news organizations subsequently reported.

Superfish isn’t your garden-variety bloatware. As Ars Technica described, it installs a self-signed root HTTPS certificate so when a user “visits an HTTPS site, the site certificate is signed and controlled by Superfish and falsely represents itself as the official website certificate.”

To make matters worse, the Chinese PC conglomerate initially insisted that it installed the Superfish software “to help customers potentially discover interesting products” while shopping. “The relationship with Superfish is not financially significant,” Lenovo said. “Our goal was to enhance the experience for users. We recognize that the software did not meet that goal and have acted quickly and decisively.”

But overwhelmed by an onslaught of heavy criticism from security experts, Peter Hortensius, Lenovo’s chief technology officer, subsequently acknowledged the company “didn’t do enough” due diligence prior to pre-installing Superfish, even though he continued to suggest that the alarm was overblown. Still, he admitted the vendor need to respond quickly to consumers’ concerns, saying it will release software today that washes any data from the Superfish app from the infected laptops.

Hortensius also told PCWorld that Lenovo already has instructed users how to remove the Superfish software. “We’re removing it as thoroughly as we possibly can,” he said.

Adi Pinhas, the chief executive of Superfish chief executive, in a statement insisted that Superfish is “completely transparent” to users and “at no time were consumers vulnerable–we stand by this today.”

Lenovo is the only vendor to pre-install Superfish on its PCs, Pinhas said.

Security experts understandably were alarmed by Lenovo’s blunder. “Bloatware needs to stop,” Ken Westin, Tripwire security analyst, told ComputerWorld. “Companies like Apple, which sell their products on their own merits, they don’t sell out their customers with this adware crap.”

The Verge reported that Microsoft has updated its anti-malware Windows Defender to remove Superfish. Windows Defender will reset any SSL certificates that were circumvented by Superfish, restoring the system to proper working order, the Verge report said.

Lenovo’s Hortensius told the Wall Street Journal the vendor isn’t “trying to get into an argument with the security guys. They’re dealing with theoretical concerns. We have no insight that anything nefarious has occurred. But we agree that this was not something we want to have on the system, and we realized we needed to do more.”

He said by Friday the vendor “will provide a tool that removes all traces of the app from people’s laptops; this goes further than simply uninstalling the app. Once the app-wiping software is finished tonight or tomorrow, we’ll issue a press release with information on how to get it.”

Read more about:

AgentsMSPsVARs/SIs

About the Author(s)

DH Kass

Senior Contributing Blogger, The VAR Guy

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like