UPDATED at 11:58 a.m. PT with comment from Lenovo.
Some Lenovo laptops have shipped with software that security analysts say can make users vulnerable to attacks.
Superfish is so-called adware — software that generates ads on a user’s screen. It’s designed to identify products that users are looking for on the Web and then push advertisements for those items. But security experts say it does so, in part, by breaking the encryption used to hide data when users visit supposedly secure websites.
British security researcher Graham Cluley says that effectively amounts to a “man-in-the-middle” hack, intercepting what should be secure communications, “all so they can display some irritating adverts.”
“You bet it’s bad,” Cluley wrote in a blog post. “If you have Superfish on your computer, you really can’t really trust secure connections to sites anymore.”
Lenovo says Superfish disabled
It was unclear Thursday which models of Lenovo computers may be affected. The company said “some consumer notebook products” shipped between September and December had Superfish installed.
Lenovo said that it removed Superfish from new computers in January, that it will not be included on any new computers, and that Superfish has disabled the software, so it will no longer run even when installed.
Nevertheless, the company maintains that Superfish doesn’t pose the threat that some say it does.
“We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns,” Lenovo said Thursday in a statement. “But we know that users reacted to this issue with concern, and so we have taken direct action to stop shipping any products with this software.
“We will continue to review what we do and how we do it in order to ensure we put our user needs, experience and priorities first.”
Some computers have clearly made it into stores with active versions of the software.
ArsTechnica reported Thursday that a security researcher bought a Lenovo Yoga 2 Pro for $600 at a San Francisco-area Best Buy and “quickly confirmed” that Superfish had been installed.
Cluley writes that, because Superfish replaces the security certificate of websites with one of its own. it would be “easy for another hostile actor to leverage this and further compromise the user’s connections.”
Getting rid of the software
Completely removing the software from an already-purchased computer appears to be a tricky proposition. In addition to uninstalling the software, Cluley says users need to remove what’s called a “root certificate” for it.
Microsoft, whose Windows operating system runs on Lenovo’s computers, has published a step-by-step guide on how to do that. It has also created a list of the trusted root certificates on different versions of Windows, so users can see if anything else has been added without their knowledge.
The simplest approach, though drastic, is to wipe a computer’s hard drive and install a new version of Windows or another operating system.
“It’s a brutal response, but it’s probably the only one you can completely trust right now,” Cluly wrote. “It took the security community over six months to notice what Lenovo was doing on its PCs, who knows if it’s doing anything else a bit dodgy too.”
Image via iStock