After the recent revelation that Lenovo has been shipping some of it laptops with pre-installed adware that’s also breaking the security of secure connections by using self-signed MITM SSL certificates, the company has attempted to minimize the fallout by reiterating the initial explanation about why they did it: to help their customers.
“In our effort to enhance our user experience, we pre-installed a piece of third-party software, Superfish (based in Palo Alto, CA), on some of our consumer notebooks. We thought the product would enhance the shopping experience, as intended by Superfish,” they said, but found that it did not meet their expectations or those of their customers. “In reality, we had customer complaints about the software.”
So, they apparently stopped the preloads beginning in January, and have shut down the server connections that enable the software. They also offered tools for the software’s removal – even though you will have better luck with this easy Superfish removal guide, which also tells you how to remove the offending Superfish certificate, and offers an online test to check if you are affected at all.
According to Lenovo’s statement, users who bought a ThinkPad notebook, a Lenovo desktop or smartphone are safe from Superfish. “This software has never been installed on any enterprise product – servers or storage – and these products are in no way impacted.”
The list of affected Lenovo laptop models is as follows:
- G Series: G410, G510, G710, G40-70, G50-70, G40-30, G50-30, G40-45, G50-45
- U Series: U330P, U430P, U330Touch, U430Touch, U530Touch
- Y Series: Y430P, Y40-70, Y50-70
- Z Series: Z40-75, Z50-75, Z40-70, Z50-70
- S Series: S310, S410, S40-70, S415, S415Touch, S20-30, S20-30Touch
- Flex Series: Flex2 14D, Flex2 15D, Flex2 14, Flex2 15, Flex2 14(BTM), Flex2 15(BTM), Flex 10
- MIIX Series: MIIX2-8, MIIX2-10, MIIX2-11
- YOGA Series: YOGA2Pro-13, YOGA2-13, YOGA2-11BTM, YOGA2-11HSW
- E Series: E10-30.
The company’s statement is an improvement on its CTO’s pronouncement that this issue presents a theoretical concern and Superfish does not present a security risk to users.
Robert Graham, CEO of Errata Security, begs to differ, especially when he so easily “extracted the certificate from the SuperFish adware and cracked the password (‘komodia’) that encrypted it.”
Since all the affected Lenovo laptops have the same certificate installed, an attacker can easily intercept users’ encrypted communications when in their vicinity (for example, when they are connected to a public Wi-Fi hotspot).
The aforementioned password indicated the Superfish software includes the Komodia Redirector and SSL Digestor libraries, a warning about which has been released by the CERT division at Carnegie Mellon University on Thursday.
The only solution for this problem is to uninstall Komodia Redirector SDK and the associated root CA certificates (here is how to do it, also on Firefox).
To prevent surprises such as this one in the future, you might also want to consider doing a clean install of Windows when you buy a new computer.