Lenovo pre-loads 'Superfish' on some new laptops

winchester73 · February 19, 2015, 03:11:01 PM

Lenovo, the world's #1 PC manufacturer, is taking a huge PR hit today after news surfaced that some of its consumer laptops come pre-loaded with Superfish ... some experts say it poses a privacy and security threat.

http://www.engadget.com/2015/02/19/lenovo-superfish-adware-preinstalled/

http://www.theguardian.com/technology/2015/feb/19/lenovo-accused-compromising-user-security-installing-adware-pcs-superfish

http://techcrunch.com/2015/02/18/lenovo-superfish/

http://www.siliconrepublic.com/enterprise/item/40767-lenovo-has-been-silently/

http://gizmodo.com/lenovo-installs-adware-on-new-computers-that-could-stea-1686721226

Corrine · February 19, 2015, 03:46:57 PM

Lenovo Newsroom | LENOVO STATEMENT ON SUPERFISH.

From the bottom of the Guardian link by paperghost/Chris Boyd:

QuoteChris Boyd, Malware Intelligence Analyst at Malwarebytes, recommended that "in this particular case, anybody affected should uninstall the Superfish software then type certmgr.msc into their Windows search bar – from there, they can find and remove the related root certificate."

My concern is not that Lenovo stopped adding it to new computers but rather what is to stop Superfish from re-enabling the server side interactions. Lenovo should provide the same instructions for removing the root cert to their customers.

winchester73 · February 19, 2015, 04:01:16 PM

Confirmed it was NOT installed on a two month old ThinkPad T440s, which lends credence to it not being pre-loaded on business machines.

Confirmed it WAS installed on a four month old IdeaPad U530. This goes beyond the Y50, Z40, Z50, G50, and Yoga 2 Pro reports.

In the latter case, uninstalled Superfish via Control Panel > Add/Remove Programs. HOWEVER, the process did NOT remove the Registry entry and root certificate. Removing the trusted root certification from Firefox was simple, however I needed to launch IE as administrator in order to remove it.

winchester73 · February 19, 2015, 04:10:32 PM

Well, this didn't take long: http://www.theverge.com/2015/2/19/8069127/superfish-password-certificate-cracked-lenovo

QuoteThe cracked certificate exposes Lenovo users to man-in-the-middle attacks, similar to those opened up by Heartbleed

There is a link at the bottom to test your vulnerability: https://filippo.io/Badfish/

More details: http://arstechnica.com/security/2015/02/lenovo-pcs-ship-with-man-in-the-middle-adware-that-breaks-https-connections/

ky331 · February 19, 2015, 05:58:58 PM

Getting "mainstream" (i.e., outside of just "geek"-page) bad publicity:

https://www.yahoo.com/tech/lenovo-has-been-selling-laptops-with-malware-111476606919.html

winchester73 · February 19, 2015, 07:08:56 PM

QuoteImagine that you are a major global seller of laptop computers and that you were just caught preloading those machines with ultra-invasive adware that hijacks even fully encrypted Web sessions by using a self-signed root HTTPS certificate from a company called Superfish. How do you explain why you did it?

If you're Lenovo, you tell customers that you thought they would like having their visits to banking websites interfered with and their machines left open to potential man-in-the-middle attacks!

http://arstechnica.com/security/2015/02/lenovo-honestly-thought-youd-enjoy-that-superfish-https-spyware/

:thud:

Decent removal instructions: http://www.pcworld.com/article/2886278/how-to-remove-the-dangerous-superfish-adware-presintalled-on-lenovo-pcs.html

winchester73 · February 19, 2015, 07:50:30 PM

Lenovo has updated the list of affected laptops ... 43 models:

QuoteSuperfish may have appeared on these models:
G Series: G410, G510, G710, G40-70, G50-70, G40-30, G50-30, G40-45, G50-45
U Series: U330P, U430P, U330Touch, U430Touch, U530Touch
Y Series: Y430P, Y40-70, Y50-70
Z Series: Z40-75, Z50-75, Z40-70, Z50-70
S Series: S310, S410, S40-70, S415, S415Touch, S20-30, S20-30Touch
Flex Series: Flex2 14D, Flex2 15D, Flex2 14, Flex2 15, Flex2 14(BTM), Flex2 15(BTM), Flex 10
MIIX Series: MIIX2-8, MIIX2-10, MIIX2-11
YOGA Series: YOGA2Pro-13, YOGA2-13, YOGA2-11BTM, YOGA2-11HSW
E Series: E10-30

http://news.lenovo.com/article_display.cfm?article_id=1929

Lenovo mentions 3 specific things:

QuoteSuperfish has completely disabled server side interactions (since January) on all Lenovo products so that the product is no longer active. This disables Superfish for all products in market.

Lenovo stopped preloading the software in January.

We will not preload this software in the future.

That's good new for future users but doesn't fix the problem for those who already have it installed. Lenovo doesn't understand the damage that has been done, not just to customer trust ... :Win73:

Take the time to run the tool posted earlier: https://filippo.io/Badfish/

If you get a 'yes', you have the bad root certificate and need to remove it.

The computer security experts at LastPass have developed a tool to see if your computer is 'infected': https://lastpass.com/superfish/

Corrine · February 19, 2015, 08:07:21 PM

One of the security "journalists" posted on Twitter that he checked Lenovo laptops for sale at BestBuy. Some had Superfish, others didn't. Obviously, just because Lenovo stopped installing Superfish in January doesn't help the laptops produced prior to that date and sitting shelves waiting for the unsuspecting buyer,

Corrine · February 19, 2015, 08:52:51 PM

How about this: Spy agencies ban Lenovo PCs on security concerns.

Corrine · February 19, 2015, 10:06:00 PM

I don't think that there is a news source/journalist that hasn't gotten into the Lenovo/Superfish discussion today. Excerpts from interview with Lenofo CTO: Lenovo CTO: We're Working to Wipe Superfish App Off of PCs - Digits - WSJ.

winchester73 · February 19, 2015, 10:08:31 PM

"We're not trying to get into an argument with the security guys. They're dealing with theoretical concerns. We have no insight that anything nefarious has occurred."

Quote
Lenovo CTO: We're Working to Wipe Superfish App Off of PCs - Digits - WSJ

:blink:

Lenovo posts "Instructions to determine if you have the SuperFish application installed and how to Uninstall it"

http://news.lenovo.com/images/20034/remove-superfish-instructions.pdf

http://support.lenovo.com/us/en/product_security/superfish_uninstall

Superfish was only installed on Lenovo Notebook products, not ThinkPad, ThinkCentre, Desktop, ThinkStation, ThinkServer or System x products.

http://support.lenovo.com/us/en/product_security/superfish

Corrine · February 19, 2015, 11:43:48 PM

The Lenovo PDF doesn't mention what to do if Firefox and/or Thunderbird are installed. See the bottom of the instructions here for removing the Firefox & Thunderbird certificate: http://arstechnica.com/security/2015/02/how-to-remove-the-superfish-malware-what-lenovo-doesnt-tell-you/

winchester73 · February 20, 2015, 01:48:28 AM

"This was a small scale test to see if consumers would like the feature."

http://www.wired.com/2015/02/lenovo-superfish/

QuoteLenovo's Response to Its Dangerous Adware Is Astonishingly Clueless

Indeed

This is disturbing on a personal note as I have purchased several Lenovo laptops over the years, and recommended many times that to friends and family. They make terrific hardware, but this only serves to diminish their brand.

Lenovo's initial "What, me worry?" level of denial is troubling. They had to have known about this issue since at least 21 January: https://forums.lenovo.com/t5/Security-Malware/Potentially-Unwanted-Program-Superfish-VisualDiscovery/m-p/1860408/highlight/true#M1697

There was no response until 19 February.

I'd bet that ZERO of their users enjoy the Superfish software pre-installed on their computers :(

Thankfully my ThinkPad is unaffected. However, with regards to the IdeaPad, I go out of my way to avoid security vulnerabilities ... and I certainly never elected to buy it with them pre-installed. :exorcize:

winchester73 · February 20, 2015, 03:17:33 AM

http://www.pcworld.com/article/2886912/lenovo-admits-to-superfish-screwup-will-release-cleanup-tool.html

According to Lenovo's chief technical officer Peter Hortensius, there are plans to release an automated tool on Friday that will remove Superfish from affected PCs.

There have been widespread reports that Lenovo is in contact with browser and antivirus about ways to fix this issue. For example, delivering the tool as an automatic patch (possibly through partners such as Microsoft) rather than relying on users to download it themselves. Additionally, they are investigating ways to remove the software from the Windows deployment "preload" of the affected laptops, which is stored on the hidden recovery partition (and used for factory resets).

plodr · February 20, 2015, 05:02:37 PM

I didn't even think about the recovery partition.
I guess it's best to clean it off then make an image of only the clean drive C and avoid using the recovery partition.

This was the most understandable article I saw to clean it off
http://www.pcworld.com/article/2886278/how-to-remove-the-dangerous-superfish-adware-presintalled-on-lenovo-pcs.html