Lenovo loads dangerous Superfish adware onto new computers -- this fish stinks
Buying a new Windows computer can be a really fun moment. When you say goodbye to your aging and slow machine, and start fresh with a new model, everything seems faster and peppier. Unfortunately, many manufacturers pre-load unwanted software on these computers, causing headaches and wasted time for the consumer. It can take hours to uninstall all of the stuff you do not want.
Sadly, Lenovo has crossed a line when it comes to this practice. Along with all the the usual added software (bloatware), was a piece of adware called Superfish. From a security standpoint, it could potentially put customer data at risk with man in the middle attacks, which in turn threatens the manufacturer's reputation.
Just how bad is Superfish? Very. The EFF explains, "Lenovo has not just injected ads in a wildly inappropriate manner, but engineered a massive security catastrophe for its users. The use of a single certificate for all of the MITM attacks means that all HTTPS security for at least Internet Explorer, Chrome, and Safari for Windows, on all of these Lenovo laptops, is now broken. If you access your webmail from such a laptop, any network attacker can read your mail as well or steal your password. If you log into your online banking account, any network attacker can pilfer your credentials. All an attacker needs in order to perform these attacks is a copy of the Superfish MITM private key".
Yikes. this is a horrible thing and users of these Lenovo machines could potentially be at a huge risk. Luckily, Lenovo has acted quickly, by apologizing and vowing to stop.
"Superfish was previously included on some consumer notebook products shipped in a short window between September and December to help customers potentially discover interesting products while shopping. However, user feedback was not positive, and we responded quickly and decisively", says Lenovo.
The company further explains, "to be clear, Superfish technology is purely based on contextual/image and not behavioral. It does not profile nor monitor user behavior. It does not record user information. It does not know who the user is. Users are not tracked nor re-targeted. Every session is independent. Users are given a choice whether or not to use the product. The relationship with Superfish is not financially significant; our goal was to enhance the experience for users. We recognize that the software did not meet that goal and have acted quickly and decisively".
What actions has Lenovo taken? The company lists the following.
- Superfish has completely disabled server side interactions (since January) on all Lenovo products so that the product is no longer active. This disables Superfish for all products in market.
- Lenovo stopped preloading the software in January.
- We will not preload this software in the future.
Should consumers and the media crucify Lenovo over this? Yes; for now. Should the manufacturer be forgiven? I say yes. The company didn't do this with the intention of hurting consumers.
True, it was a stupid mistake, but the company's overall foundation and track record is solid. If anything, the consumer outcry should cause all manufacturers to think twice before pre-loading anything questionable on its consumer's PCs. All manufacturers should take this as a lesson.
While Microsoft is not to blame, I turn to them to fix the overall problem of OEMs loading crap onto consumer machines. The fact that Microsoft sells "Signature Edition" laptops with the selling point of not being loaded with unwanted software shows that there is a problem.
Moving forward, Satya Nadella and team should create stricter guidelines in their OEM licensing to prevent adware from being pre-loaded on Windows machines. Not all pre-loaded software is bad, so a distinction must be made at the top, and I urge Microsoft to act.
Can you forgive Lenovo? Tell me in the comments.
[Update] Lastpass has released an online tool to see if your machine is affected. Go here to use it.
If your machine is affected, there is a removal guide listed to help.