Lenovo pre-loads 'Superfish' on some new laptops

ky331 · February 20, 2015, 05:14:34 PM

Per "The Windows Club" (on Facebook): Microsoft has updated Windows Defender. It now removes Superfish along with the root CA certificate.

winchester73 · February 20, 2015, 05:31:47 PM

LOL, you beat me to it while life interfered with posting :thumbsup:

https://www.facebook.com/TheWindowsClub/posts/10153005505446201

Also this: "Microsoft helps Lenovo, deletes Superfish 'crapware' and rogue cert"

QuoteThe signature, pegged Trojan:Win32/Superfish.A, scrubs a Windows PC of both the Superfish program and the self-signed certificate used to intercept secured traffic, according to Filippo Valsorda, a systems engineer at CloudFlare, a California security firm.

Microsoft confirmed that the signature cleaned Lenovo PCs of Superfish and deleted the certificate.

QuoteBecause anti-malware vendors have been notoriously hesitant to scour OEMs' crapware from PCs, Microsoft may have sought Lenovo's approval if the latter had not reached out directly.

Microsoft added the Trojan:Win32/Superfish.A definition today to its free anti-malware programs, Windows Defender and Security Essentials. Windows Defender is the anti-malware program baked into Windows 8 and 8.1 and the most pertinent; the Lenovo notebooks infected with Superfish were all powered by Windows 8.1.

Users must run a Windows Defender scan to eliminate Superfish. They may also need to first force an update by clicking the "Update" tab, then the large "Update" button.

http://www.computerworld.com/article/2887214/microsoft-helps-out-partner-lenovo-deletes-superfish-crapware-and-rogue-cert.html

winchester73 · February 20, 2015, 07:52:45 PM

Microsoft has added the Superfish software/certificate to Windows Defender 1.193.444.0, according to Italian CloudFlare Security Team member @FiloSottile.

https://twitter.com/FiloSottile/status/568800260111388672

Filippo Valsorda created the first website to check to see if your computer is infected with Superfish: https://filippo.io/Badfish/ (linked earlier)

In addition, products that are based on Superfish/komodia will be disabled with this update.

NOTE: Windows Defender is enabled by default in Windows 8, but Lenovo often disabled it to activate a bundled AV solution by Norton, McAfee, etc. In that case, you will have to reactivate Defender.

:drink1: Microsoft

siljaline · February 20, 2015, 09:52:27 PM

Via Reuters -
U.S. government urges Lenovo customers to remove Superfish software

ESET users are now protected via Win32/Adware.SuperFish http://virusradar.com/en/Win32_Adware.SuperFish.A/description

And there's the Lenovo sanctioned heavy lifting removal process (probably already mentioned - but here it is again)

http://support.lenovo.com/us/en/product_security/superfish_uninstall

siljaline · February 20, 2015, 09:58:57 PM

Some of us have some Facebook pages blocked ¯\_(ツ)_/¯ Just saying ...

siljaline · February 20, 2015, 11:22:52 PM

Additional notes:

https://www.us-cert.gov/ncas/current-activity/2015/02/20/Lenovo-Computers-Vulnerable-HTTPS-Spoofing

Lenovo Superfish Adware Vulnerable to HTTPS Spoofing
https://www.us-cert.gov/ncas/alerts/TA15-051A

Corrine · February 21, 2015, 12:15:09 AM

To continue this wild story -- The Company Behind Lenovo's Dangerous Superfish Tech Claims It's Under Attack - Forbes

Corrine · February 21, 2015, 01:35:59 AM

Via Twitter, https://twitter.com/lenovo/status/568933623442878466

QuoteNEWS: Here's a direct link to automated Superfish removal tool--completely deletes Superfish & certificates http://lnv.gy/1CXxZfi

The link without the URL shortener: Superfish Uninstall Instructions - Lenovo Support (US)

siljaline · February 21, 2015, 12:31:08 PM

All ESET products now actively block the "Superfish" website. See: https://twitter.com/goretsky/status/568980798897922049

winchester73 · February 21, 2015, 01:22:53 PM

Updated Lenovo Statement on Superfish: http://news.lenovo.com/article_display.cfm?article_id=1931&view_id=1431&

Quote
We are working with McAfee and Microsoft to have the Superfish software and certificate quarantined or removed using their industry-leading tools and technologies. These actions have already started and will automatically fix the vulnerability even for users who are not currently aware of the problem.

Issuing an open source Superfish removal tool under the Mozilla Public License was a welcome move, showing Lenovo is being transparent.

Corrine · February 21, 2015, 02:38:51 PM

Quote from: winchester73 on February 21, 2015, 01:22:53 PM
Issuing an open source Superfish removal tool under the Mozilla Public License was a welcome move, showing Lenovo is being transparent.

I agree, although at this point, I don't think Lenovo really had any other choice. What I do NOT like is seeing articles such as Superfish spyware not limited to Lenovo laptops. As far as I'm concerned, that is merely taking advantage of the Superfish hype. Of course an adware program that has been around at least since 2012 isn't limited to one OEM, just as Conduit and other BHOs, toolbars, etc. are not limited. The difference in the Lenovo case is the inclusion of the root certificate authority, particularly if Lenovo had knowledge of that inclusion.

Based on statements such as

Quote"We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns," Lenovo said in a Thursday statement that was subsequently altered to drop that line.

from Security experts call for halt to PC 'crapware' after Lenovo debacle that siljalane posted elsewhere, it could be debated that Lenovo had the wool pulled over their eyes and was not aware of the inclusion of the root certificate authority. However, even if they were unaware of the inclusion, there certainly was not due diligence to fully examine what was being installed with the program.

Edit Addition:

From Lenovo CTO on Superfish: 'We Messed Up' | Re/code,

QuoteThe company has an engineering review that made sure the tool itself didn't store customer information and had a mechanism for users to opt out, but Lenovo missed that the way the software behaved could create a situation that left machines vulnerable to an attack.

"We should have known going in that that was the case," Hortensius said. "We just flat-out missed it on this one, and did not appreciate the problem it was going to create."

Engineering review does not equate to security review. Will OEMs now be held to a higher standard? Will OEMs learn from what Lenovo is suffering in loss of trust?

winchester73 · February 21, 2015, 03:10:01 PM

As a followup ...

I just ran the Lenovo tool on the IdeaPad. I had previously uninstalled the software and removed the certificates. Next, I ran Windows Defender (updated to 1.193.467.0) with both Quick and Full scans. Curiously, nothing was found in either scan. Now that Lenovo has released their tool, I wanted to see if there were still registry items and files lurking somewhere. Here is a screenshot, reinforcing the need to run the tool even if you have previously followed the manual removal instructions (and, perhaps, run a Defender scan):

siljaline · February 21, 2015, 03:49:07 PM

Not forgetting Lenovo is working with Microsoft as a directly result of the SuperFish OEM Bundling at source. These are facts - not fiction.

Note the continued denial by Lenovo's CTO (or) whoever is dispatching the Press Releases:

Quote[...]However, we did not know about this potential security vulnerability until yesterday.[...]

More deception from same Press Release:

QuoteAbout Superfish: Superfish technology is purely based on contextual/image and not behavioral. It does not profile nor monitor user behavior. It does not record user information. It does not know who the user is. Users are not tracked nor re-targeted. Every session is independent. Users are given a choice whether or not to use the product. We recognize that the software did not meet expectations and have acted quickly and decisively to remove it from our products.

No one was told this adware would be pre-bundled and there certainly was no Lenovo opt-out issued.

Thus, we are where we are now. Also beware of folks too closely involved with LOL-Lenovo bearing strange gifts.

Let's be clear - the removal tool was issued by Lenovo strictly as a result of a bombardment of public pressure to do so.

siljaline · February 21, 2015, 05:38:40 PM

Lenovo CTO Admits It 'Messed Up' Allowing Major Security Hole Onto PCs

Corrine · February 21, 2015, 05:45:55 PM

Too much information in the press & hard to keep up. The re/code article is quoted in my post above, siljaline. ;)

Questions for you and others reading this thread:

Will this Lenovo fiasco result in security experts closely examining other OEM products?
Will the other OEMs make a thorough examination of what they are bundling?