Lenovo, the world's #1 PC manufacturer, is taking a huge PR hit today after news surfaced that some of its consumer laptops come pre-loaded with Superfish ... some experts say it poses a privacy and security threat.
http://www.engadget.com/2015/02/19/lenovo-superfish-adware-preinstalled/
http://www.theguardian.com/technology/2015/feb/19/lenovo-accused-compromising-user-security-installing-adware-pcs-superfish
http://techcrunch.com/2015/02/18/lenovo-superfish/
http://www.siliconrepublic.com/enterprise/item/40767-lenovo-has-been-silently/
http://gizmodo.com/lenovo-installs-adware-on-new-computers-that-could-stea-1686721226
Lenovo Newsroom | LENOVO STATEMENT ON SUPERFISH (http://news.lenovo.com/article_display.cfm?article_id=1929).
From the bottom of the Guardian link by paperghost/Chris Boyd:
QuoteChris Boyd, Malware Intelligence Analyst at Malwarebytes, recommended that "in this particular case, anybody affected should uninstall the Superfish software then type certmgr.msc into their Windows search bar – from there, they can find and remove the related root certificate."
My concern is not that Lenovo stopped adding it to new computers but rather what is to stop Superfish from re-enabling the server side interactions. Lenovo should provide the same instructions for removing the root cert to their customers.
Confirmed it was NOT installed on a two month old ThinkPad T440s, which lends credence to it not being pre-loaded on business machines.
Confirmed it WAS installed on a four month old IdeaPad U530. This goes beyond the Y50, Z40, Z50, G50, and Yoga 2 Pro reports.
In the latter case, uninstalled Superfish via Control Panel > Add/Remove Programs. HOWEVER, the process did NOT remove the Registry entry and root certificate. Removing the trusted root certification from Firefox was simple, however I needed to launch IE as administrator in order to remove it.
Well, this didn't take long: http://www.theverge.com/2015/2/19/8069127/superfish-password-certificate-cracked-lenovo
QuoteThe cracked certificate exposes Lenovo users to man-in-the-middle attacks, similar to those opened up by Heartbleed
There is a link at the bottom to test your vulnerability: https://filippo.io/Badfish/
More details: http://arstechnica.com/security/2015/02/lenovo-pcs-ship-with-man-in-the-middle-adware-that-breaks-https-connections/
Getting "mainstream" (i.e., outside of just "geek"-page) bad publicity:
https://www.yahoo.com/tech/lenovo-has-been-selling-laptops-with-malware-111476606919.html
QuoteImagine that you are a major global seller of laptop computers and that you were just caught preloading those machines with ultra-invasive adware that hijacks even fully encrypted Web sessions by using a self-signed root HTTPS certificate from a company called Superfish. How do you explain why you did it?
If you're Lenovo, you tell customers that you thought they would like having their visits to banking websites interfered with and their machines left open to potential man-in-the-middle attacks!
http://arstechnica.com/security/2015/02/lenovo-honestly-thought-youd-enjoy-that-superfish-https-spyware/
:thud:
Decent removal instructions: http://www.pcworld.com/article/2886278/how-to-remove-the-dangerous-superfish-adware-presintalled-on-lenovo-pcs.html
Lenovo has updated the list of affected laptops ... 43 models:
QuoteSuperfish may have appeared on these models:
G Series: G410, G510, G710, G40-70, G50-70, G40-30, G50-30, G40-45, G50-45
U Series: U330P, U430P, U330Touch, U430Touch, U530Touch
Y Series: Y430P, Y40-70, Y50-70
Z Series: Z40-75, Z50-75, Z40-70, Z50-70
S Series: S310, S410, S40-70, S415, S415Touch, S20-30, S20-30Touch
Flex Series: Flex2 14D, Flex2 15D, Flex2 14, Flex2 15, Flex2 14(BTM), Flex2 15(BTM), Flex 10
MIIX Series: MIIX2-8, MIIX2-10, MIIX2-11
YOGA Series: YOGA2Pro-13, YOGA2-13, YOGA2-11BTM, YOGA2-11HSW
E Series: E10-30
http://news.lenovo.com/article_display.cfm?article_id=1929
Lenovo mentions 3 specific things:
QuoteSuperfish has completely disabled server side interactions (since January) on all Lenovo products so that the product is no longer active. This disables Superfish for all products in market.
Lenovo stopped preloading the software in January.
We will not preload this software in the future.
That's good new for future users but doesn't fix the problem for those who already have it installed. Lenovo doesn't understand the damage that has been done, not just to customer trust ... :Win73:
Take the time to run the tool posted earlier: https://filippo.io/Badfish/
If you get a 'yes', you have the bad root certificate and need to remove it.
The computer security experts at LastPass have developed a tool to see if your computer is 'infected': https://lastpass.com/superfish/
One of the security "journalists" posted on Twitter that he checked Lenovo laptops for sale at BestBuy. Some had Superfish, others didn't. Obviously, just because Lenovo stopped installing Superfish in January doesn't help the laptops produced prior to that date and sitting shelves waiting for the unsuspecting buyer,
How about this: Spy agencies ban Lenovo PCs on security concerns (http://www.afr.com/p/technology/spy_agencies_ban_lenovo_pcs_on_security_HVgcKTHp4bIA4ulCPqC7SL).
I don't think that there is a news source/journalist that hasn't gotten into the Lenovo/Superfish discussion today. Excerpts from interview with Lenofo CTO: Lenovo CTO: We're Working to Wipe Superfish App Off of PCs - Digits - WSJ (http://blogs.wsj.com/digits/2015/02/19/lenovo-cto-were-working-to-wipe-superfish-app-off-of-pcs/).
"We're not trying to get into an argument with the security guys. They're dealing with theoretical concerns. We have no insight that anything nefarious has occurred."
Quote
Lenovo CTO: We're Working to Wipe Superfish App Off of PCs - Digits - WSJ (http://blogs.wsj.com/digits/2015/02/19/lenovo-cto-were-working-to-wipe-superfish-app-off-of-pcs/)
:blink:
Lenovo posts "Instructions to determine if you have the SuperFish application installed and how to Uninstall it"
http://news.lenovo.com/images/20034/remove-superfish-instructions.pdf
http://support.lenovo.com/us/en/product_security/superfish_uninstall
Superfish was only installed on Lenovo Notebook products, not ThinkPad, ThinkCentre, Desktop, ThinkStation, ThinkServer or System x products.
http://support.lenovo.com/us/en/product_security/superfish
The Lenovo PDF doesn't mention what to do if Firefox and/or Thunderbird are installed. See the bottom of the instructions here for removing the Firefox & Thunderbird certificate: http://arstechnica.com/security/2015/02/how-to-remove-the-superfish-malware-what-lenovo-doesnt-tell-you/
"This was a small scale test to see if consumers would like the feature."
http://www.wired.com/2015/02/lenovo-superfish/
QuoteLenovo's Response to Its Dangerous Adware Is Astonishingly Clueless
Indeed
This is disturbing on a personal note as I have purchased several Lenovo laptops over the years, and recommended many times that to friends and family. They make terrific hardware, but this only serves to diminish their brand.
Lenovo's initial "What, me worry?" level of denial is troubling. They had to have known about this issue since at least 21 January: https://forums.lenovo.com/t5/Security-Malware/Potentially-Unwanted-Program-Superfish-VisualDiscovery/m-p/1860408/highlight/true#M1697
There was no response until 19 February.
I'd bet that ZERO of their users enjoy the Superfish software pre-installed on their computers :(
Thankfully my ThinkPad is unaffected. However, with regards to the IdeaPad, I go out of my way to avoid security vulnerabilities ... and I certainly never elected to buy it with them pre-installed. :exorcize:
http://www.pcworld.com/article/2886912/lenovo-admits-to-superfish-screwup-will-release-cleanup-tool.html
According to Lenovo's chief technical officer Peter Hortensius, there are plans to release an automated tool on Friday that will remove Superfish from affected PCs.
There have been widespread reports that Lenovo is in contact with browser and antivirus about ways to fix this issue. For example, delivering the tool as an automatic patch (possibly through partners such as Microsoft) rather than relying on users to download it themselves. Additionally, they are investigating ways to remove the software from the Windows deployment "preload" of the affected laptops, which is stored on the hidden recovery partition (and used for factory resets).
I didn't even think about the recovery partition.
I guess it's best to clean it off then make an image of only the clean drive C and avoid using the recovery partition.
This was the most understandable article I saw to clean it off
http://www.pcworld.com/article/2886278/how-to-remove-the-dangerous-superfish-adware-presintalled-on-lenovo-pcs.html
Per "The Windows Club" (on Facebook): Microsoft has updated Windows Defender. It now removes Superfish along with the root CA certificate.
LOL, you beat me to it while life interfered with posting :thumbsup:
https://www.facebook.com/TheWindowsClub/posts/10153005505446201
Also this: "Microsoft helps Lenovo, deletes Superfish 'crapware' and rogue cert"
QuoteThe signature, pegged Trojan:Win32/Superfish.A, scrubs a Windows PC of both the Superfish program and the self-signed certificate used to intercept secured traffic, according to Filippo Valsorda, a systems engineer at CloudFlare, a California security firm.
Microsoft confirmed that the signature cleaned Lenovo PCs of Superfish and deleted the certificate.
QuoteBecause anti-malware vendors have been notoriously hesitant to scour OEMs' crapware from PCs, Microsoft may have sought Lenovo's approval if the latter had not reached out directly.
Microsoft added the Trojan:Win32/Superfish.A definition today to its free anti-malware programs, Windows Defender and Security Essentials. Windows Defender is the anti-malware program baked into Windows 8 and 8.1 and the most pertinent; the Lenovo notebooks infected with Superfish were all powered by Windows 8.1.
Users must run a Windows Defender scan to eliminate Superfish. They may also need to first force an update by clicking the "Update" tab, then the large "Update" button.
http://www.computerworld.com/article/2887214/microsoft-helps-out-partner-lenovo-deletes-superfish-crapware-and-rogue-cert.html
(https://www.landzdown.com/proxy.php?request=http%3A%2F%2Fi.huffpost.com%2Fgen%2F2635664%2Fthumbs%2Fo-LENOVO-570.jpg%3F7&hash=b48d491fa50565e5e76b3fd53932bb947bacafc0)
Microsoft has added the Superfish software/certificate to Windows Defender 1.193.444.0, according to Italian CloudFlare Security Team member @FiloSottile.
https://twitter.com/FiloSottile/status/568800260111388672
Filippo Valsorda created the first website to check to see if your computer is infected with Superfish: https://filippo.io/Badfish/ (linked earlier)
In addition, products that are based on Superfish/komodia will be disabled with this update.
NOTE: Windows Defender is enabled by default in Windows 8, but Lenovo often disabled it to activate a bundled AV solution by Norton, McAfee, etc. In that case, you will have to reactivate Defender.
:drink1: Microsoft
Via Reuters -
U.S. government urges Lenovo customers to remove Superfish software (http://www.reuters.com/article/2015/02/20/us-lenovo-cybersecurity-dhs-idUSKBN0LO21U20150220)
ESET users are now protected via Win32/Adware.SuperFish http://virusradar.com/en/Win32_Adware.SuperFish.A/description
And there's the Lenovo sanctioned heavy lifting removal process (probably already mentioned - but here it is again)
http://support.lenovo.com/us/en/product_security/superfish_uninstall
Some of us have some Facebook pages blocked ¯\_(ツ)_/¯ Just saying ...
Additional notes:
https://www.us-cert.gov/ncas/current-activity/2015/02/20/Lenovo-Computers-Vulnerable-HTTPS-Spoofing
Lenovo Superfish Adware Vulnerable to HTTPS Spoofing
https://www.us-cert.gov/ncas/alerts/TA15-051A
To continue this wild story -- The Company Behind Lenovo's Dangerous Superfish Tech Claims It's Under Attack - Forbes (http://www.forbes.com/sites/thomasbrewster/2015/02/20/komodia-lenovo-superfish-ddos/)
Via Twitter, https://twitter.com/lenovo/status/568933623442878466
QuoteNEWS: Here's a direct link to automated Superfish removal tool--completely deletes Superfish & certificates http://lnv.gy/1CXxZfi
The link without the URL shortener: Superfish Uninstall Instructions - Lenovo Support (US) (http://support.lenovo.com/us/en/product_security/superfish_uninstall?cid=ww:social:149248169:149248168:TWITTER:lenovo:*%20Customer%20Service%20and%20Support&linkId=12486011)
All ESET products now actively block the "Superfish" website. See: https://twitter.com/goretsky/status/568980798897922049
Updated Lenovo Statement on Superfish: http://news.lenovo.com/article_display.cfm?article_id=1931&view_id=1431&
Quote
We are working with McAfee and Microsoft to have the Superfish software and certificate quarantined or removed using their industry-leading tools and technologies. These actions have already started and will automatically fix the vulnerability even for users who are not currently aware of the problem.
Issuing an open source Superfish removal tool under the Mozilla Public License was a welcome move, showing Lenovo is being transparent.
Quote from: winchester73 on February 21, 2015, 01:22:53 PM
Issuing an open source Superfish removal tool under the Mozilla Public License was a welcome move, showing Lenovo is being transparent.
I agree, although at this point, I don't think Lenovo really had any other choice. What I do NOT like is seeing articles such as Superfish spyware not limited to Lenovo laptops (http://www.ibtimes.co.uk/superfish-spyware-not-limited-lenovo-laptops-1488859). As far as I'm concerned, that is merely taking advantage of the Superfish hype. Of course an adware program that has been around at least since 2012 isn't limited to one OEM, just as Conduit and other BHOs, toolbars, etc. are not limited. The difference in the Lenovo case is the inclusion of the root certificate authority, particularly if Lenovo had knowledge of that inclusion.
Based on statements such as
Quote"We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns," Lenovo said in a Thursday statement that was subsequently altered to drop that line.
from Security experts call for halt to PC 'crapware' after Lenovo debacle (http://www.computerworld.com/article/2886978/security-experts-call-for-halt-to-pc-crapware-after-lenovo-debacle.html) that siljalane posted elsewhere, it
could be debated that Lenovo had the wool pulled over their eyes and was not aware of the inclusion of the root certificate authority. However, even if they were unaware of the inclusion, there certainly was not due diligence to fully examine what was being installed with the program.
Edit Addition:
From Lenovo CTO on Superfish: 'We Messed Up' | Re/code (http://recode.net/2015/02/20/lenovo-cto-admits-it-messed-up-allowing-major-security-hole-onto-pcs/),
QuoteThe company has an engineering review that made sure the tool itself didn't store customer information and had a mechanism for users to opt out, but Lenovo missed that the way the software behaved could create a situation that left machines vulnerable to an attack.
"We should have known going in that that was the case," Hortensius said. "We just flat-out missed it on this one, and did not appreciate the problem it was going to create."
Engineering review does not equate to security review. Will OEMs now be held to a higher standard? Will OEMs learn from what Lenovo is suffering in loss of trust?
As a followup ...
I just ran the Lenovo tool on the IdeaPad. I had previously uninstalled the software and removed the certificates. Next, I ran Windows Defender (updated to 1.193.467.0) with both Quick and Full scans. Curiously, nothing was found in either scan. Now that Lenovo has released their tool, I wanted to see if there were still registry items and files lurking somewhere. Here is a screenshot, reinforcing the need to run the tool even if you have previously followed the manual removal instructions (and, perhaps, run a Defender scan):
Not forgetting Lenovo is working with Microsoft as a directly result of the SuperFish (http://en.wikipedia.org/wiki/Superfish) OEM Bundling at source. These are facts - not fiction.
Note the continued
denial by Lenovo's CTO (or) whoever is dispatching the Press Releases:
Quote[...]However, we did not know about this potential security vulnerability until yesterday.[...]
More deception from same Press Release:
QuoteAbout Superfish: Superfish technology is purely based on contextual/image and not behavioral. It does not profile nor monitor user behavior. It does not record user information. It does not know who the user is. Users are not tracked nor re-targeted. Every session is independent. Users are given a choice whether or not to use the product. We recognize that the software did not meet expectations and have acted quickly and decisively to remove it from our products.
No one was told this adware would be pre-bundled and there certainly was no Lenovo opt-out issued.
Thus, we are where we are now. Also beware of folks too closely involved with LOL-Lenovo bearing strange gifts.
Let's be clear - the removal tool was issued by Lenovo strictly as a result of a bombardment of public pressure to do so.
Lenovo CTO Admits It 'Messed Up' Allowing Major Security Hole Onto PCs (http://recode.net/2015/02/20/lenovo-cto-admits-it-messed-up-allowing-major-security-hole-onto-pcs/)
Too much information in the press & hard to keep up. The re/code article is quoted in my post above, siljaline. ;)
Questions for you and others reading this thread:
- Will this Lenovo fiasco result in security experts closely examining other OEM products?
- Will the other OEMs make a thorough examination of what they are bundling?
Image posted at BBR (h/t siljaline) showing the list of vendors using the Komodia Redirector from CERT (Vulnerability Note VU#529496 - Komodia Redirector with SSL Digestor fails to properly validate SSL and installs non-unique root CA certificates and private keys (http://www.kb.cert.org/vuls/id/529496)) and will be detected by a https://filippo.io/Badfish/ scan:
(https://www.landzdown.com/proxy.php?request=http%3A%2F%2Fi.dslr.net%2Fsyms%2Ff452a55629c3a8a79d3c7d1fc55a7764.jpg&hash=5ebc00afb04dd0cd5cd22ad75e393ba8ed08143a)
Urizen (Nicolas Stark), Ann-Christine Åkerlund and Jason King should be hiding in shame. From ABC News at http://abcnews.go.com/Technology/lenovo-faces-uproar-superfish-adware/story?id=29085435
QuoteDaniel Assouline, CEO at software company Lavasoft, told ABC News "the problem with Superfish isn't the problem of what they do, it's how they do it."
The image Corrine posted is explained here: http://marcrogers.org/2015/02/19/will-the-madness-never-end-komodia-ssl-certificates-are-everywhere/
Also of note, Filippo Valsorda has updated his tool to test for Komodia products besides Superfish.
UPDATE - For those who wish to re-test all of their browsers, Superfish CA + Komodia vulnerability test now detects all Komodia softwares and doesn't cache results: https://filippo.io/Badfish/
How Komodia works: https://blog.filippo.io/komodia-superfish-ssl-validation-is-broken/
For those socially oriented - you may follow Filippo in real-time on Twitter (https://twitter.com/FiloSottile)
Beware that the Wikipedia entry for SuperFish (http://en.wikipedia.org/wiki/Superfish) still exists. Most AV engines now actively block the URL.
See Tweet from Aryeh at ESET NA https://twitter.com/goretsky/status/568980798897922049
WOT warns as well:
The LOL- Lenovo debacle just wont go away ! LOL-Lenovo recently opined - (but continue to Lie as the SuperFish software was bundled in as far back as 2012)
Quote
We ordered Superfish preloads to stop and had server connections shut down in January based on user complaints about the experience. However, we did not know about this potential security vulnerability until yesterday [Friday, 20 February]. Now we are focused on fixing it.
Since that time we have moved as swiftly and decisively as we can based on what we now know. While this issue in no way impacts our ThinkPads; any tablets, desktops or smartphones; or any enterprise server or storage device, we recognise that all Lenovo customers need to be informed.
We apologise for causing these concerns among our users – we are learning from this experience and will use it to improve what we do and how we do it in the future.
http://www.theregister.co.uk/2015/02/22/lenovo_superfish_removal_tool/
Lenovo hit with lawsuit over Superfish snafu
QuoteLenovo admitted to pre-loading the Superfish adware on some consumer PCs, and unhappy customers are now dragging the company to court on the matter.
A proposed class-action lawsuit was filed late last week against Lenovo and Superfish, charging both companies with "fraudulent" business practices and of making Lenovo PCs vulnerable to malware and malicious attacks by pre-loading the adware. [...]
http://www.computerworld.com/article/2887245/legal/lenovo-hit-with-lawsuit-over-superfish-snafu.html
Mozilla mulls Superfish torpedo
QuoteFirefox-maker Mozilla may neuter the likes of Superfish by blacklisting dangerous root certificates revealed less than a week ago to be used in Lenovo laptops.
The move will be another blow against Superfish, which is under a sustained barrage of criticism for its use of a root certificate to launch man-in-the-middle attacks against innocent users in order to inject advertising into web searches. [...]
http://www.theregister.co.uk/2015/02/23/mozilla_mulls_super_phish_torpedo/
Superfish stumper: What did Lenovo know and when did it know it?
QuoteWhat does a person have to do to get a pizza delivered? If you're in the area formerly known as the great American Northeast, now doubling as Westeros, only with more white walkers, apparently no action is good enough. How cold is it? When I accidentally stepped outside today, my nose hair flash froze and it felt like someone had fired a staple gun into my cheekbones. [...]
http://www.infoworld.com/article/2887237/cringely/superfish-stumper-what-did-lenovo-know-and-when-did-it-know-it.html
The LOL-Lenovo debacle continues as LOL-Lenovo Corporate begs for forgiveness -
QuoteLenovo's top technical executive apologized once again for preinstalling laptops with software that intercepted customers' encrypted Web traffic, and the company has gone on to outline plans to ensure that similar mistakes don't happen again.
"This software frustrated some users without adding value to the experience so we were in the process of removing it from our preloads," Lenovo CTO Peter Hortensius wrote in an open letter published Monday (http://news.lenovo.com/article_display.cfm?article_id=1932). "Then, we saw published reports about a security vulnerability created by this software and have taken immediate action to remove it. Clearly this issue has caused concern among our customers, partners, and those who care about Lenovo, our industry and technology in general. For this, I would like to again apologize." [...]
http://arstechnica.com/security/2015/02/still-smarting-from-https-busting-superfish-debacle-lenovo-says-sorry/
h/t @ Dan Goodin (https://twitter.com/dangoodin001), others, for bringing down the house on the ongoing LOL-Lenovo case.
(https://www.landzdown.com/proxy.php?request=http%3A%2F%2Fimg.photobucket.com%2Falbums%2Fv330%2Fsiljaline%2Fuser%2520bars%2FNOD32UserToolbar.gif&hash=8f68ec96ac8c7349de4ae0e5fafcde9d479f1f54)
Filippo Valsorda has updated his Superfish, Komodia, PrivDog vulnerability test once again to test for other SSL-disabling products: https://filippo.io/Badfish/
According to Lenovo, Superfish may have appeared on these models:
G Series: G410, G510, G710, G40-70, G50-70, G40-30, G50-30, G40-45, G50-45
U Series: U330P, U430P, U330Touch, U430Touch, U530Touch
Y Series: Y430P, Y40-70, Y50-70
Z Series: Z40-75, Z50-75, Z40-70, Z50-70
S Series: S310, S410, S40-70, S415, S415Touch, S20-30, S20-30Touch
Flex Series: Flex2 14D, Flex2 15D, Flex2 14, Flex2 15, Flex2 14(BTM), Flex2 15(BTM), Flex 10
MIIX Series: MIIX2-8, MIIX2-10, MIIX2-11
YOGA Series: YOGA2Pro-13, YOGA2-13, YOGA2-11BTM, YOGA2-11HSW
E Series: E10-30
The LOL-Lenovo betrayal of trust debacle continues unabated -
Quote"We're just kind of scratching the surface," said Ken Westin, a senior security analyst with cybersecurity firm Tripwire. "I guarantee you within the next week or two, we'll start hearing more about things like this."
QuoteDave Fewer, director of the Ottawa-based Canadian Internet Policy and Public Interest Clinic, described the flaw as "a huge betrayal of trust."
http://www.cbc.ca/news/technology/superfish-adware-frenzy-over-lenovo-betrayal-of-trust-1.2968640
The original purpose of this thread was to alert Lenovo users about an important breach of customer privacy and security by the world's largest PC maker. Over the last five days, there has been much useful information posted about the implications of this MITM attack and how it cracks open secure connections. As tools were developed and updated, instructions were provided on how to detect and remove the threat from an affected Lenovo consumer product. This issue only pertained to a small percentage of the personal computers being used throughout the world, and ONLY specific Lenovo models.
After some discussion behind the scenes, it has been decided that the immediate threat has been neutralized, and the original purpose behind 3 pages of posts has been fulfilled ... thus, this topic is now closed.
Anyone interested in additional information can easily find it via social media or by using their favorite search engine. We now return you to your regularly scheduled forum.