The Superfish scandal keeps getting worse and worse for Lenovo. Here’s what you need to know about this accidentally preinstalled malware backdoor in the new Lenovo machines.
The incident started when Lenovo began shipping computers preprogrammed with something called Superfish adware (Superfish is a separate adware company that created the software). It isn’t completely clear when this started, but it began possibly as early as June 2014. Putting pre-programmed adware on your new computer is bad enough, but Lenovo’s oversight quickly became much worse: The Superfish adware opens your computer up to attack and digital theft.
Superfish problems come on several different levels. The adware was designed to invade your search results and replace more native search engine ads with its own ad images – not very up-and-up, but not innately dangerous, either. However, the adware also manipulates security features on Lenovo computers, creating a giant hole for malware to sneak in and watch your browser activity – including any financial or identity information that you use.
Users began posting this discovery on forums back in late January, noting that the adware can self-sign its own certificate authority to monitor secure Internet connections, which is really not cool. Even worse, it was discovered that Superfish used an identical private key for its root certificate on every installation. That means with the right key cracking, a hacker could steal financial info not only from one individual computer, but from any new Lenovo computer. It isn’t exactly theory, either: Security experts and hackers alike have already posted notifications that they have cracked the key when testing the limits of the adware.
Lenovo users understandably panicked and looked for ways to remove what could become preinstalled malware. The logical first step is to find and remove Superfish – and Lenovo even issued a tool to help people remove the adware. Unfortunately, the root certificate weakness is separate from the adware itself, so this does not actually delete the core malware problem. Lenovo users did not appreciate this.
On the Lenovo side, the company began taking several actions to soothe irate and worried customers. In addition to creating the not-immediately-useful remove tool, the company assured people that it was no longer shipping computers with Superfish adware and that Superfish the company had agreed to disable its serves and render the product inactive. Paradoxically, Lenovo said that it had not found any evidence “to substantiate security concerns” but also apologized for the vulnerability. The paradoxes continued when Lenovo announced that while it would maintain contracts with Superfish, it also wouldn’t be using its software in any future computers.
The back-and-forth nature of the debacle has now led to both an individual and a class-action lawsuit against Lenovo and Superfish. The spyware nature of the Superfish vulnerability has the sharks smelling blood, and the matter could be dragged out in the courts long after the vulnerability has been addressed. As digital security continues to grow as an issue, cases like these are particularly worth watching because of the precedents they set for future company decisions and court decisions.
Suffice it to say, users with new Lenovo computers have a problem, and if you’re worried about Superfish and your Lenovo, there are a couple things you can do to make sure you are safe. Because the efficacy of removal tools may still be doubtful, it’s a smart idea to go in and look for the root certificate installation yourself so you can personally delete it along with Superfish.
If you aren’t confident in your own abilities, updates for Windows Defender and some other security programs now seek out that root certificate and destroy it. Note that if you use Firefox, you also have to search for saved certificates in Firefox and then delete Superfish when you find it. You should additionally change your logins and passwords if you’ve been running a Superfish adware computer. Also, when buying from Lenovo or any brand, check out what software is preinstalled before you make a purchase: Sometimes you get way more than you bargained for.
When he isn't enjoying the beautiful Northwest outdoors, you can find Tyler on business and tech sites, writing about the latest news, analyzing trends, and generally making the Internet a more interesting place.