TR Member Perks!

Update: Superfish CEO, Adi Pinhas, has issued a statement to PCWorld, defending their software, and denying that their is any security risk caused by it. He stated,

“There has been significant misinformation circulating about Superfish software that was pre-installed on certain Lenovo laptops… Despite the false and misleading statements made by some media commentators and bloggers, the Superfish software does not present a security risk.”

He goes on to say that, “a vulnerability was introduced unintentionally by a third party,” and denies any culpability in his own company or the Superfish software for any security risks.

Original Article: Lenovo is under scrutiny after it was recently discovered to have shipped certain laptops with a piece of adware, known as Superfish, already installed. While this may seem like a sleazy move on the part of Lenovo, some users on the Lenovo forums have raised serious security concerns about Superfish, making the problem even worse than it seemed at first.

The stated purpose of the adware is to inject advertisements into search engine results. Lenovo claims this as a benefit to users, since it uses image analysis, and shows users products similar to ones they are already looking at, but at a lower price. It was even pointed out that when the laptop is set up for the first time users can accept or decline the use of Superfish, after reading its terms and conditions.

However some forum users are reporting less than benevolent behavior on the part of Superfish. They claim it installs its own self-signed certificate authority, allowing it to decrypt secure requests, such as those used in online banking. This technique, commonly known as a man-in-the-middle attack, is a serious security breach if the reports are true. This security risk affects browsers like IE and Chrome, but does not affect Firefox because it uses its own certificate store.

While it is unclear exactly how many machines have Superfish installed, users have been reporting the existence of Superfish on their Lenovo laptops as far back as mid 2014. However Lenovo no longer pre-loads Superfish on their computers as of January 2015, and all existing installations of Superfish were disabled at the same time. Lenovo has no plans to pre-load Superfish in the future.

In its official statement on the matter, Lenovo claims to have investigated the software thoroughly and found no security concerns. However no explanation was given as to why the forums users were able to find evidence of man-in-the-middle attacks caused by this software. They also defend the adware on the basis that is purely beneficial to the user, relying on analysis of images on the web page. It does not record any data, or track the user across multiple sessions. Despite the fact they believe there is nothing wrong with the software, Lenovo has decided to discontinue its use on the basis of user feedback.

Do you think Lenovo acted wrongly by pre-installing this software on some of their laptops? Leave your comments below.


Max Michael

Senior Writer

I’m a technology reporter located near the Innovation District of Kitchener-Waterloo, Ontario.



  • Ryan Juel

    I just removed SuperFish from three computers at work today, including my own. While removing it, I came across this little gem. It turns out that Lenovo is also installing a Browser Hijack, calling it “Lenovo Search Protect.”

    They’re really trying to torpedo their credibility, aren’t they?

  • jonas nielsen

    And they’re succeeding

    I’m typing this on a lenovo laptop, which didn’t come with malware for some reason, but i wont buy anything from them again

  • Ryan Juel

    When did you buy yours? I’d still double check with MBAM and/or ADWcleaner, just to be sure.

    By the way, for anyone else interested, ADWcleaner WILL remove Superfish from your computer. You’ll still need to delete the cert to fully get it out of there.

    http://www.bleepingcomputer.com/download/adwcleaner/

  • jonas nielsen

    2013

    I’ve already checked for the cert and tested at https://lastpass.com/superfish/ so i’m sure it’s clean

    I also run monthly MBAM scans anyway as a security precaution

  • Guest

    >mfw

  • Ryan Juel

    Apparently I fail at posting images. Let’s try this again:

    >mfw

  • WhiteNut

    This is why I run both Malware Bytes and Super Anti-Spyware. Both are top notch programs that will find and erase such a devious little nuisance.

  • Ryan Juel

    MBAM won’t remove superfish. I had to use ADWcleaner to do so.

  • MonsterGogo

    I bought two lenovo laptops for my workplace, they both came with plenty of adware and trash like that baidu “antivirus”. Not only that, but I can’t boot the ones I bought via CD so I couldn’t format them back to W7 since they both came with W8. Also the customer support was awful.

  • Nick

    the first thing I do on computers purchased from major manufacturers is uninstall all of their useless utilities/freebies. i don’t want your clutter… Not to mention that yes, all your browser bars and ‘enhancements’ are actually security issues waiting to happen.

  • Hands to Yourself…

    Holy crap. That’s crazy!