Lenovo to customers: We only just found out about this Superfish vuln – remove it NOW

A bruised Lenovo has finally released a removal tool for the Superfish vuln that hijacks web browsers to inject ads into pages.

It comes after the Chinese PC maker spent the past few days attempting to make the bad news about the badware go away, with the claim that it had "stopped preloads [of the Superfish software] beginning in January".

Lenovo said late on Friday that it was taking "additional actions" to address customer concerns about the vulnerability.

But it did this only after watchdog US-CERT warned that the vuln could be exploited to "allow a remote attacker to read all encrypted web browser traffic (HTTPS), successfully impersonate (spoof) any website, or perform other attacks on the affected system."

As The Register previously reported, the malware installs its own CA certificate, so that it can then sneakily intercept and decrypt HTTPS connections, tamper with pages and then inject ads.

Lenovo has now released an "automated tool to help users remove the software and certificate".

It added that it was working with Microsoft and McAfee to help the firm kill or, at least, quarantine the crapware.

In a chin-on-the-floor statement, Lenovo said:

We ordered Superfish preloads to stop and had server connections shut down in January based on user complaints about the experience. However, we did not know about this potential security vulnerability until yesterday [Friday, 20 February]. Now we are focused on fixing it.

Since that time we have moved as swiftly and decisively as we can based on what we now know. While this issue in no way impacts our ThinkPads; any tablets, desktops or smartphones; or any enterprise server or storage device, we recognise that all Lenovo customers need to be informed.

We apologise for causing these concerns among our users – we are learning from this experience and will use it to improve what we do and how we do it in the future.

Superfish claimed on Friday that computer users needn't worry about the code – despite the concerns expressed by US-CERT and security bods.

"Unfortunately, in this situation a vulnerability was introduced unintentionally by a third party. Both Lenovo and Superfish did extensive testing of the solution but this issue wasn't identified before some laptops shipped," said the outfit's chief Adi Pinhas.

"Fortunately, our partnership with Lenovo was limited in scale. We were able to address the issue quickly. We learned about the potential threat yesterday and since then we have been working with Lenovo and Microsoft to create an industry patch to resolve the threat." ®