Tag Archives: superfish

Lenovo officially responds to Superfish, releases list of affected systems

Lenovo has issued another official statement regarding its Superfish security debacle alongside a list of affected systems. The company’s response to the entire affair is going to be taught in future marketing texts as an example of how not to respond to a crisis — each successive statement has inched towards admitting responsibility and acknowledging a problem. The company still maintains that it thought Superfish would “enhance the shopping experience,” but claims that it acted “swiftly and decisively” once concerns were raised. It continues, however, to maintain a long list of what Superfish doesn’t do and makes repeated reference to the fact that Superfish doesn’t engage in active, specific, targeted user monitoring.

The first sign that Lenovo is still struggling to understand the enormity of its screwup is when it claims “Users are given a choice over whether or not to use the product.” This is flatly untrue. Superfish shipped as a pre-installed default on user systems, the only “choice” users were given was whether or not to click “Accept” on the entire laptop. There’s zero evidence suggesting that users were aware that doing so would fatally compromise user security. Our guide to removing Superfish and its false certificate is available here.

An evolving message and a very deep hole

Lenovo’s first responses to this problem were a mixture of tone-deaf and defiant, loudly certifying that the company had created no security flaw, that all such issues were theoretical, and that it stood by the security of the Superfish software. This changed later — sentences like “We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns” have now been stricken from the record. Lenovo has also walked back its support for Superfish, though the CEO of that company, Adi Pinhas, still claims that Superfish is “completely transparent.”

Window Shopper

It’s possible that Lenovo has begun to wake up to just who it jumped in bed with. Forbes has an extensive profile on Mr. Pinhas’ history, and it’s not a flattering one. Superfish has been behind multiple previous adware and malware products, including the much-maligned Window Shopper. It’s also now been discovered that the same company has provided a similar solution to multiple other software solutions, including “Keep My Family Secure” (produced directly by the company), Qustodio’s parental control software, and Kurupira’s Webfilter. In every case, the private key sequence is always “komodia.”

Possibly impacted systems

Lenovo has released a list of affected systems, but the wording is rather odd. The company states that Superfish may have appeared on the following models: (emphasis added)

G Series: G410, G510, G710, G40-70, G50-70, G40-30, G50-30, G40-45, G50-45
U Series: U330P, U430P, U330Touch, U430Touch, U530Touch
Y Series: Y430P, Y40-70, Y50-70
Z Series: Z40-75, Z50-75, Z40-70, Z50-70
S Series: S310, S410, S40-70, S415, S415Touch, S20-30, S20-30Touch
Flex Series: Flex2 14D, Flex2 15D, Flex2 14, Flex2 15, Flex2 14(BTM), Flex2 15(BTM), Flex 10
MIIX Series: MIIX2-8, MIIX2-10, MIIX2-11
YOGA Series: YOGA2Pro-13, YOGA2-13, YOGA2-11BTM, YOGA2-11HSW
E Series: E10-30

I’m genuinely uncertain what to make of the words “May have.” Microsoft has its Signature series, where you can buy laptops from other vendors that are guaranteed to ship without bloatware of any kind, but apart from those systems, Lenovo should know whether or not its laptops shipped with this software or not.

The company has yet to release an actual tool for removing the software and security certificate, but Microsoft has already updated its own Windows Defender to do so. Firefox and Thunderbird users, however, will still need to clean those systems manually.

Tagged , , ,

Lenovo’s Superfish security snafu blows up in its face

The preloaded Superfish adware does more than hijack website ads in a browser. It also exposes Lenovo owners to a simple but dangerous hack that could spell disaster.

Removing software that comes with your brand-new Windows computer can be frustrating, but recently discovered software on new Lenovo laptops — the top-selling laptop brand in 2014 — can put your entire digital life at risk.

The preloaded software, called Superfish, alters your search results to show you different ads than you would otherwise see. But it also tampers with your computer’s security so that attackers can snoop on your browser traffic — no matter which browser you’re using.

“Attackers are able to see all the communication that’s supposed to be confidential — banking transactions, passwords, emails, instant messages,” said Timo Hirvonen, a senior researcher at security software maker F-Secure. That kind of threat, known as a man-in-the-middle attack because the hacker can spy on the users’ Internet traffic and infiltrate their computer, poses a serious risk to consumers, he said.

Lenovo is scrambling to fix the problem. “We messed up badly,” said Peter Hortensius, Lenovo’s chief technology officer. He claims Lenovo was unaware Superfish put consumer’s Internet traffic up for grabs. “The intent was to supplement the shopping experience.”

On Friday afternoon, the PC maker said it was working with McAfee and Microsoft to have Superfish “quarantined or removed.” Lenovo released a Superfish removal tool that it promised would eliminate all traces of the software from Lenovo computers. Also on Friday, the US Department of Homeland Security warned that the Superfish software introduces a “critical vulnerability,” and it issued its own instructions for removing the spyware from Lenovo computers.

Superfish said Friday that it is working with Microsoft and Lenovo on a fix, and minimized concerns by the government and security researchers.

“The Superfish code does not present a security risk. In no way does Superfish store personal data or share such data with anyone,” Superfish said in an emailed statement. “Unfortunately, in this situation a vulnerability was introduced unintentionally by a third party. Both Lenovo and Superfish did extensive testing of the solution but this issue wasn’t identified before some laptops shipped. Fortunately, our partnership with Lenovo was limited in scale.”

A spokesman for Microsoft, which makes the Windows operating system that powers Lenovo’s laptops, at first referred to Lenovo’s own security advisory on Superfish. On Friday he added that Microsoft has changed its default Windows security software to detect and remove the Superfish software.

At issue is the potential impact of preinstalled spyware making consumers and businesses vulnerable to hackers without their knowledge. Superfish’s technique for spying on otherwise secure communications from your computer could herald a new and dangerous trend for preloaded software. And by exposing consumer Internet traffic to the kind of attack Hirvonen describes, user trust is on the chopping block.

Why did this happen? Part of the reason is that since the 1990s, consumers have become accustomed to both preloaded software and apps showing ads without permission. But it’s practically unheard of for that software to expose laptop owners to this kind of attack.

“Consumers trust that their laptops won’t come with a vulnerability like this,” said Chris Wysopal, co-founder of security analysis company Veracode. And it’s not just consumers at risk from insecure browsers, but businesses, too.

Another reason Superfish is unusually dangerous is that it’s not an app like Adobe Photoshop or Microsoft Word, but rather code hidden from everyday users.

“You know it’s not helpful software because helpful software is easy to install, and find and uninstall,” said Galen Ward, the CEO of Estately, a startup focused on home buying and selling. He removed Superfish from an employee’s Lenovo Flex 2 laptop in January, but following standard protocols of searching the laptop for Superfish files didn’t work, he said.

Lenovo now has labeled the Superfish threat on its laptops as “high,” its most severe rating. Nevertheless, the immediate impact on consumers could be minimal if they take steps to clean their computers. If you are worried your computer has Superfish on it, CNET has a Superfish removal guide.

Superfish makes two changes to the way computers surf the Internet. It alters search results, including those from Google, so when a user moves the mouse over a product, it shows additional information such as similar listings at lower prices. But Superfish also cripples a Web browser’s ability to communicate securely.

Lenovo’s Hortensius said the company is not aware of any consumers whose data was compromised in an attack because of the Superfish software. However, an investigation into Superfish by security researcher Robert Graham has shown that compromising a Lenovo laptop’s security via Superfish ismore than merely theoretical.

Lenovo declined to say how many people own laptops infected with the software, but the company sold 16 million Windows computers in the fourth quarter of 2014, IDC said. It was installed on more than 11 types of Lenovo laptops sold to the public between September 2014 and January 2015, including the popular Yoga and Flex models. Lenovo has published a full list of affected computers.

Tagged , , , , , ,