This article is more than 1 year old
Superfish: Lenovo ditches adware, but that doesn't fix SSL megavuln – researcher
Here's how to zap the ad-injecting crapware
Lenovo is attempting to defuse controversy over its pre-installed Superfish crapware – which appears to have run man-in-the-middle attacks against consumers in order to sling ads – by saying it has discontinued use of the visual-recognition technology on new laptops and promising to review outstanding concerns.
Superfish reportedly intercepted users' traffic to sling ads at them even when they were visiting banking websites.
The adware-on-steroids installs its own self-signed root CA certificate in Windows before generating certificates on the fly for each attempted SSL connection. Superfish even served fake certs in order to MiTM banking websites, it has been reported.
The issue provoked isolated complaints on Lenovo tech forums over recent months, with Lenovo issuing an official response in January. Social media program manager Mark Hopkins said:
To be clear, Superfish comes with Lenovo consumer products only and is a technology that helps users find and discover products visually. The technology instantly analyzes images on the web and presents identical and similar product offers that may have lower prices, helping users search for images without knowing exactly what an item is called or how to describe it in a typical text-based search engine.
But the problem only hit the mainstream after security researcher Marc Rogers wrote about it on Wednesday (here), provoking the angriest reaction against a tech firm since the Sony BMG rootkit affair back in 2005.
Lenovo was deliberately breaking secure connections, making it easier in the process for any attackers to spoof any HTTPS website, say researchers. Obtaining a private key from one Lenovo laptop would allow the technically knowledgeable to snoop on the web traffic of any other Lenovo users on the same network.
That’s all aside from the more immediate concerns that Lenovo was spying on users' bank/medical/dating web data before monetising it through pop-up ads.
The earliest Lenovo forum posting on the issue dates back to June 2014.
Quizzed by El Reg, Lenovo issued a statement stating that it had ditched the technology and further claiming that it had disabled existing installations. This goes further on this front than its previous line in public forums that it would simply update the adware.
Lenovo removed Superfish from the preloads of new consumer systems in January 2015. At the same time Superfish disabled existing Lenovo machines in market from activating Superfish.
Superfish was preloaded onto a select number of consumer models only. Lenovo is thoroughly investigating all and any new concerns raised regarding Superfish.
Simply removing the adware – which is already detected as unwanted by many security software firms – doesn’t deal with the problem and users need to remove the certificate manually. Microsoft has an explanation on how to do this here.
Robert Graham of Errata Security has put together a well-written blog post explaining how Superfish works here. An FAQ by security veteran Graham Cluley on the Tripwire blog can be found here.
The controversy has served to generate a debate about the economics of the PC manufacturing business, which suffers from notoriously low margins, among security experts.
People surprised at Lenovo / Superfish don't understand the economics of consumer laptops. Margins are negative w/o preinstalled crapware.— halvarflake (@halvarflake) February 19, 2015
The #lenovo #superfish debacle is just another reason to ban vendors installing anything beyond necessary drivers and OS.— Paul Moore (@Rambling_Rant) February 19, 2015