If you have recently bought a new Lenovo computer, you’re in for a nasty surprise: the company has been shipping them with pre-installed adware.
And, what’s even worse, the software in question is also using MITM SSL certificates, which is made possible by the installation of a self-signing certificate authority. This allows the company behind the malware to intercept secure connections and collect the unencrypted data, as a poster on the Lenovo forums showed.
— Kenn White (@kennwhite) February 19, 2015
A Lenovo administrator took to the forum to explain what Superfish does:
“To be clear, Superfish comes with Lenovo consumer products only and is a technology that helps users find and discover products visually. The technology instantly analyzes images on the web and presents identical and similar product offers that may have lower prices, helping users search for images without knowing exactly what an item is called or how to describe it in a typical text-based search engine,” he said.
Finally, he stated that due to some issues they have temporarily removed Superfish from their consumer systems until such time as Superfish is able to provide a software build that addresses these issues. “As for units already in market, we have requested that Superfish auto-update a fix that addresses these issues,” he said.
However reasonable this explanation sounds to Lenovo, I seriously doubt users will be happy about it. Lenovo has obviously made a serious blunder.
Update: February 19 2015, 2:47 PM PT. Click here for an easy Superfish removal guide.