The following article appeared in Gizmodo, February 19, 2015
Lenovo Installs Adware on New Computers That Could Steal Private Data
Oh no, Lenovo. Users are reporting on the company’s forums, its computers are coming installed with adware straight out of the box—that can monitor secure connections.
According to a number of Lenovo users, the software called Superfish is installed on factory-fresh laptops. The adware injects third-party ads into Google searches and on to websites without the user’s permission—on Chrome and Internet Explorer, at least. That, alone, is bad but not awful. But other users have pointed out that the adware can also install its own self-signed certificate authority—creating spurious SSL certificates—allowing it to monitor secure connections.
Security expert Kenn White has posted images on Twitter showing that, as an example, the software provides a certificate issued to Bank of America, but issued by Superfish—wheras usually that would be done by a trusted body like VeriSign. Given Superfish’s whole purpose is to check and forward browsing data to ad companies, allowing it access secure content in this way is clearly a Bad Thing.But it gets worse. It seems Superfish uses the same private key for its root certificate on every machine it’s installed on, explains The Verge. If someone could crack that key, it would be possible to create certificates that any Superfish-fuelled Lenovo computer—probably, at this point, most of them—would trust, allowing malicious code to wriggle in unannounced.
Appearing in forums in January, a Lenovo community administrator called Mark Hopkins wrote that Lenovo has “temporarily removed Superfish from our consumer systems” but defended its presence, explaining that it “helps users find and discover products visually” and “instantly analyzes images on the web and presents identical and similar product offers that may have lower prices.” Now a rather serious security hole has been identified, it might think differently.
We’ve got in touch with Lenovo to find out what its current stance on Superfish is. [The Next Web, Verge]
Note: If you want to check your computer for Superfish adware, visit https://lastpass.com/superfish/
The first thing I do with a new computer is run Decrapifier to identify all the preinstalled junk, so I could delete it. I intended to provide a download link in this post, but I didn’t know which download site was safe. Would PC Decrapifier identify the adware discussed in this article?
See the article here to check for and remove
http://www.pcworld.idg.com.au/article/566812/how-remove-dangerous-superfish-adware-preinstalled-lenovo-pcs/?utm_campaign=gear-daily-2015-02-20&utm_medium=newsletter&eid=-700&utm_source=gear-daily&uid=22620
We already included a link to lastpass and its superfish remover – a lot less annoying than PC World’s ad-riddled pages 🙂 But hey thanks!