A security researcher recently said that Lenovo shipped PCs with pre-installed software called “Superfish” that he said is not only malware, but dangerous malware that’s susceptible to attacks from hackers and other outsiders.
The suspicious software was detailed in a report from Errata Security CEO Robert Graham, who posted information on Errata’s website discussing the problems with Superfish.
“It’s designed to intercept all encrypted connections, things it shouldn’t be able to see,” Graham said, noting that it’s worse than standard packaged software that’s also often loaded with ads and free trials. “It does this in a poor way that it leaves the system open to hackers or NSA-style spies.”
“Their business comes from earning money from those adds, and it pays companies (like Lenovo) to bundle the software against a user’s will,” Graham said of Superfish. “They rely upon the fact that unsophisticated users don’t know how to get rid of it, and will therefore endure the ads.” Graham said that the practice is actually legal, even though Superfish isn’t safe for end-users and can be hard to remove from a system.
Graham said it appears Superfish was installed on systems in June of last year, though a statement from Lenovo said it was installed between September and December of 2014 “to help customers potentially discover interesting products while shopping.”
Lenovo said that customer feedback “was not positive,” and that it “completely disabled server side interactions (since January) on all Lenovo products so that the product is no longer active” for all products that are in the market. The company says it will no longer install Superfish and that it did not “find any evidence to substantiate security concerns.” Here’s how Lenovo explained the malware:
To be clear, Superfish technology is purely based on contextual/image and not behavioral. It does not profile nor monitor user behavior. It does not record user information. It does not know who the user is. Users are not tracked nor re-targeted. Every session is independent. Users are given a choice whether or not to use the product. The relationship with Superfish is not financially significant; our goal was to enhance the experience for users. We recognize that the software did not meet that goal and have acted quickly and decisively.
Lenovo said it’s providing support for users who fear their systems may still be affected by Superfish, and we’ve included a link to its forums below that provide instructions for removing the software.