Update: Superfish CEO, Adi Pinhas, has issued a statement to PCWorld, defending their software, and denying that their is any security risk caused by it. He stated,
“There has been significant misinformation circulating about Superfish software that was pre-installed on certain Lenovo laptops… Despite the false and misleading statements made by some media commentators and bloggers, the Superfish software does not present a security risk.”
He goes on to say that, “a vulnerability was introduced unintentionally by a third party,” and denies any culpability in his own company or the Superfish software for any security risks.
Original Article: Lenovo is under scrutiny after it was recently discovered to have shipped certain laptops with a piece of adware, known as Superfish, already installed. While this may seem like a sleazy move on the part of Lenovo, some users on the Lenovo forums have raised serious security concerns about Superfish, making the problem even worse than it seemed at first.
The stated purpose of the adware is to inject advertisements into search engine results. Lenovo claims this as a benefit to users, since it uses image analysis, and shows users products similar to ones they are already looking at, but at a lower price. It was even pointed out that when the laptop is set up for the first time users can accept or decline the use of Superfish, after reading its terms and conditions.
However some forum users are reporting less than benevolent behavior on the part of Superfish. They claim it installs its own self-signed certificate authority, allowing it to decrypt secure requests, such as those used in online banking. This technique, commonly known as a man-in-the-middle attack, is a serious security breach if the reports are true. This security risk affects browsers like IE and Chrome, but does not affect Firefox because it uses its own certificate store.
While it is unclear exactly how many machines have Superfish installed, users have been reporting the existence of Superfish on their Lenovo laptops as far back as mid 2014. However Lenovo no longer pre-loads Superfish on their computers as of January 2015, and all existing installations of Superfish were disabled at the same time. Lenovo has no plans to pre-load Superfish in the future.
In its official statement on the matter, Lenovo claims to have investigated the software thoroughly and found no security concerns. However no explanation was given as to why the forums users were able to find evidence of man-in-the-middle attacks caused by this software. They also defend the adware on the basis that is purely beneficial to the user, relying on analysis of images on the web page. It does not record any data, or track the user across multiple sessions. Despite the fact they believe there is nothing wrong with the software, Lenovo has decided to discontinue its use on the basis of user feedback.
Do you think Lenovo acted wrongly by pre-installing this software on some of their laptops? Leave your comments below.