dslreports logo
 story category
Lenovo In Hot Water For Man In The Middle Adware

Lenovo is taking heat for pre-installing a man in the middle adware by the name of Superfish on many of the company's computers. According to Ars Technica, the Superfish malware hijacks encrypted Web sessions and -- because the private encryption key accompanying the Superfish-signed Transport Layer Security certificate appears is the same for every Lenovo machine -- makes Lenovo users vulnerable to HTTPS man-in-the-middle attacks that should be relatively easy for attackers to carry out:

quote:
As unsavory as many people find software that injects ads into Web pages, there's something much more nefarious about the Superfish package. It installs a self-signed root HTTPS certificate that can intercept encrypted traffic for every website a user visits. When a user visits an HTTPS site, the site certificate is signed and controlled by Superfish and falsely represents itself as the official website certificate.
Much like Verizon's super cookie, and despite the countless security professionals in existence, for some reason Lenovo's adware has been in circulation for more than a year without anybody noticing. There's some additional discussion over at these two threads at the official Lenovo forums. Lenovo claims that their newest computers are shipping adware free. ZDNet states that the only way to remove the malware is to re-install Windows from a non-Lenovo disk image.

Update: Lenovo has issued a fairly lame opening PR salvo as part of damage control efforts, including this little tidbit:
quote:
We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns. But we know that users reacted to this issue with concern, and so we have taken direct action to stop shipping any products with this software. We will continue to review what we do and how we do it in order to ensure we put our user needs, experience and priorities first.
Update 2: Lenovo appears to have struck that part of their statement after realizing how ridiculous it was.

Most recommended from 54 comments



Napsterbater
Meh
MVM
join:2002-12-28
Milledgeville, GA

4 recommendations

Napsterbater

MVM

This just reinforces my use of full wipes on new systems.

Its the first thing I do, I like Lenovo's hardware though.