Chinese computer manufacturer Lenovo has admitted that laptops shipped to stores and consumers in late 2014 had malware preinstalled.
You might want to read that again.
A major manufacturer with $38.70 billion sales in 2014 alone, has been selling computers that are actively invading their user’s privacy, enabling man in the middle attacks and basically undermining trust.
Meet Superfish. Actually, Don’t.
Central to this revelation is a piece of software – until recently considered crapware or bloatware – called Superfish Visual Discovery, a browser extension that ships preinstalled on Lenovo computers ostensibly as a technology to “find and discover products visually”.
Because obviously you can’t discover products with your ears.
The idea is that Superfish, present as a browser extension, analyses images that you view on the web, checks if they’re products, then offers “identical and similar product offers that may have lower prices”.
How does it work?
“The Superfish Visual Discovery engine analyzes an image 100% algorithmically, providing similar and near identical images in real time without the need for text tags or human intervention. When a user is interested in a product, Superfish will search instantly among more than 70,000 stores to find similar items and compare prices so the user can make the best decision on product and price.”
The problem is, not only is Superfish a browser hijack – anti-malware scanners will routinely remove adware tools that do the same thing – but there’s also the issue of the MITM vulnerability.
Remember Man in the Middle Attacks? Lenovo Does
Superfish doesn’t only hijack your browser to display ads. It also installs a self-signed root HTTPS certificate, an act that essentially renders HTTPS pointless, by intercepting encrypted traffic on every website you visit (HTTPS is the sauce that makes the web secure, and enables online banking, secure shopping, etc.). Evidence has been found that HTTPS site certificates are in fact signed by Superfish (rather than, say, your bank) and worse still (if you thought it couldn’t get any worse) the private encryption key is the same on all Lenovo computers!
This means fake sites cannot be detected by the web browser on a Lenovo PC.
To make matters worse, Rob Graham of Errata Security has cracked the encryption key that secured the Superfish certificate enabling anyone to launch MITM attacks upon PCs with that certificate installed.
Lenovo and the Malware
The release of the news came as quite a surprise…
Lenovo installs a MITM cert and proxy called Superfish, on new laptops, so it can inject ads? Someone tell me that's not the world I'm in.
— Mike Shaver (@shaver) February 19, 2015
There had been concerns and questions over Superfish for some time, and various questions on the Lenovo support forums.
This week, Lenovo announced that the Superfish Visual Discovery browser extension was being temporarily removed due to issues such as “browser pop up behavior”. Lenovo went on to explain what Superfish does, while taking pains to highlight that:
The accuracy of this assertion is up for debate.
My New Lenovo Ultrabook
Funnily enough, I’ve recently purchased a Lenovo computer a few weeks ago. By amazing coincidence, I just happened to remove the Superfish malware.
You don’t expect a modern computer manufacturer to load their computers with anything more than a trial of Microsoft Office and an internet security suite. So naturally when I was informed about Superfish, I just ignored it.
However, we at MakeUseOf use the Slack chat system for collaboration, and after a couple of days use of my new laptop, it seemed likely that the problem I was having posting messages on Slack (I could sign in without a problem) was down to the new computer.
Raising a support ticket with Slack, I was impressed by the quick response, although slightly perturbed by its contents:
- Do you have Avast (antivirus) installed?
- How about Net Nanny?
- Is this a Lenovo PC?
Yes, I too was curious about that last question, and upon replying to the affirmative, I was greeted by this suggestion:
“Can you check and see if you have software installed called ‘Visual Discovery’, by Superfish? We’ve learned that removing this software (which comes pre-installed on some systems) should clear up the problem for you. It can be a bit tricky to find, apparently.
If Visual Discovery isn’t installed, we’ve also heard ‘Browser Guard’ has the same issue.”
Naturally, I quickly removed both.
How Do You Fix The Certificate Issue?
Removing Superfish doesn’t suddenly make the MITM threat vanish. You’re still at risk, and HTTPS is effectively broken on your computer until you can fix the certificate issue.
Begin by checking if your computer is affected. Head to https://filippo.io/Badfish/ and check the results. If it looks like the image below, further action is needed.
Act quickly. Press WIN+R to open the Run box, and enter certmgr.msc. The Windows certificate manager will open, so look for Trusted Root Certification Authorities, expand it to display Certificates and then in the right-hand pane look for Superfish, Inc.
You can then return to the Badfish page (coded by one of the researchers involved with developing a page to check for the Heartbleed vulnerability in 2014) and check the result, where a more satisfactory message should be displayed.
Finish by closing your browser and rebooting Windows.
Or Just Use Windows Defender [UPDATE]
Since we published this post, Microsoft has released an update to Windows Defender that will catch and fry the Superfish, removing all traces of Lenovo’s ill-considered malware and its dodgy certificate.
Launch Windows Defender from the Start screen (type “windows defender”) and ensure the app updates, then wait for it to run its scan, detect and remove the threats.
If you’re not using Windows Defender, check your internet security suite for updates and run a scan. This may have been updated, and as such should remove Superfish automatically. If not, use the steps above for the manual removal.
What Will Lenovo Do Next?
For a computer giant, Lenovo’s response to this has been inept. This company has sold millions of laptops that shipped to stores and customers between October and December 2014, and for it to play down the malicious bloatware as a benefit for users to find bargains online is deplorable.
Since news broke, Lenovo has confirmed that:
- Superfish has completely disabled server side interactions (since January) on all Lenovo products so that the product is no longer active. This disables Superfish for all products in market.
- Lenovo stopped preloading the software in January.
- We will not preload this software in the future.
Lenovo also says that “The relationship with Superfish is not financially significant; our goal was to enhance the experience for users.” Altruistic, or naïve?
They have also produced a list of affected devices.
Have you been affected by Superfish? How do you feel about Lenovo now? Share your reaction in the comments below.