Lenovo Claims Superfish Preloads Stopped in January but Fears Persist

Lenovo is desperately trying to fight the fire of negative publicity that has engulfed its decision to pre-install adware called Superfish onto a range of laptops without telling customers.

The Chinese PC giant said in a statement that preloads of the much-despised adware – which has been discussed at length on Lenovo forums – had actually been stopped back in January.

It added:

“We shut down the server connections that enable the software (also in January, and we are providing online resources to help users remove this software. Finally, we are working directly with Superfish and with other industry partners to ensure we address any possible security issues now and in the future.”

Users can find out more about removal here and here.

The firm clarified that Superfish had never been installed on ThinkPads, desktops or smartphones, enterprise servers or storage equipment.

“We thought the product would enhance the shopping experience, as intended by Superfish,” Lenovo continued. “It did not meet our expectations or those of our customers. In reality, we had customer complaints about the software.”

The technology is meant to help shoppers by analyzing images on the web and presenting similar product offers with lower prices – thus “helping users search for images without knowing exactly what an item is called or how to describe it in a typical text-based search engine.”

However, it turned out it did this effectively by launching Man in the Middle (MITM) attacks against users thanks to thousands of fake, self-signed root certificates. They were all signed with the same root certificate, meaning HTTPS security is broken for all of the affected laptops.

Not long after the news was announced, Errata CEO Rob Graham managed to crack the password for the fake certificate, meaning that hackers could technically launch MITM attacks against any of the affected laptops via public Wi-Fi and they wouldn’t flag any wrongdoing.

Webroot threat researcher, Roy Tobin, argued that pre-installs of bloatware like Superfish are common practice in the industry and argued that this story should be a “wake-up call for consumers.”

“Whatever the decision around how ethical it is to do this, the increased awareness will at least give consumers the knowledge they need to opt out or un-install such programs,” he added.

“Whether it's unwanted adware from the manufacturer or hackers using malicious apps, they need to take precautions to know who is watching them on their own device.”

Wim Remes, manager of strategic services EMEA at Rapid7, claimed that Lenovo’s undermining of internet security was “a big disappointment.”

“We can not expect each individual user to be able to verify which systems are trusted or not. Everybody in the supply chain has a responsibility that can not be denied,” he added.

“Vendors of consumer hardware, having a vested interest in a secure internet, should hold themselves to a high standard. The security of their users should always prevail over the commercial benefit of adding third party software to systems.”

What’s Hot on Infosecurity Magazine?