The latest news from PC World about pre-installed software included with Lenovo consumer computer, or crapware, as it is called, is not so much about Lenovo but online Advertising, and they should be ashamed of themselves. In their quest for online sales they have created a gaping security hole affecting Lenovo devices.
Update:
Feb 23,2015 This ARStechnica article confirms that this malware is not limited to Lenovo but is in other software as well, including:
-
CartCrunch Israel LTD
WiredTools LTD
Say Media Group LTD
Over the Rainbow Tech
System Alerts
ArcadeGiant
Objectify Media Inc
Catalytix Web Services
OptimizerMonitor
Superfish Virtual Discovery
Crapware, or pre-installed software on your new computer is nothing new. However since 2014 Lenovo has been pre-installing Superfish Virtual Discovery, which injects advertising into websites as you browse the Internet. Now, according to PC World (article) this crapware has been shown to allow man-in-the-middle attacks. It is sloppy coding, no doubt done in a hurry to get it out the door, that installs the same SSL Certificate on every Lenovo computer, replacing the one from the website you are at. It’s a classic man-in-the-middle type attack.
Uninstall won’t help
Even if you uninstall Superfish Virtual Discovery (and you should), that is not enough to fix this problem.
Chris Boyd, a malware intelligence analyst at Malwarebytes, advises;.
Boyd advises users to uninstall Superfish, then to type certmgr.msc into the Windows search bar, open the program, and remove the Superfish root certificate from there.
Not The First Time
According to PC World, this is the third time companies have been found manipulating your browser. In September it was Comcast, then it was Verizon. It seems advertizers are falling overthemselves to get your attention. The problem is they are creating unnecessary security holes in your computer in their quest for dollars. Where does it stop?
Be Ashamed
It’s Orwellian, but it’s not the government that wants to control us, it’s advertisers, it’s big business, and they should be ashamed of the level they have stooped to in order to try to get us to buy something. Advertising is intrusive enough and you can’t get any site without a pop-up or so much moving images that it’s sometimes hard to find the article you were interested in. Digiday lists the top offendors, with Weather Underground, NYDailynews.com, and Autoguide.com being some of the worst offendors.
Tell us: What is the worste website have you found littered with advertising?
Update From Lenovo
UPDATED: Superfish Statement
February 20, 2015 | Company News | Khaner Walker
At Lenovo, we make every effort to provide a great user experience for our customers. We know that millions of people rely on our devices every day, and it is our responsibility to deliver quality, reliability, innovation and security to each and every customer. In our effort to enhance our user experience, we pre-installed a piece of third-party software, Superfish (based in Palo Alto, CA), on some of our consumer notebooks.
We thought the product would enhance the shopping experience, as intended by Superfish. It did not meet our expectations or that of our customers. In reality, we had customer complaints about the software. We acted swiftly and decisively once these concerns began to be raised. We apologize for causing any concern to any users for any reason – and we are always trying to learn from experience and improve what we do and how we do it.
We stopped the preloads beginning in January. We shut down the server connections that enable the software (also in January, and we are providing online resources to help users remove this software. Finally, we are working directly with Superfish and with other industry partners to ensure we address any possible security issues now and in the future. Detailed information on these activities and tools for software removal are available here:
http://support.lenovo.com/us/en/product_security/superfish
http://support.lenovo.com/us/en/product_security/superfish_uninstall
To be clear: Lenovo never installed this software on any ThinkPad notebooks, nor any Lenovo desktops or smartphones. This software has never been installed on any enterprise product – servers or storage — and these products are in no way impacted. And, Superfish is no longer being installed on any Lenovo device. In addition, we are going to spend the next few weeks digging in on this issue, learning what we can do better. We will talk with partners, industry experts and our users. We will get their feedback. By the end of this month, we will announce a plan to help lead Lenovo and our industry forward with deeper knowledge, more understanding and even greater focus on issues surrounding adware, pre-installs and security. We are eager to be held accountable for our products, your experience and the results of this new effort.