Computer manufacturer Lenovo admitted this week not only that it had pre-installed adware on laptops, but that this software (which is called "Superfish") has made users' personal information vulnerable. Users are being urged to check to see if they are at risk, and to remove the adware if necessary.
If you've recently purchased a Lenovo laptop, you may have noticed that your brand-new PC had a tendency to display extra advertisements when you were searching the web or shopping online. If so, you saw Superfish at work. This application came pre-installed on certain Lenovo laptops sold between September and February 2015 in order to "help customers potentially discover interesting products while shopping."
Superfish Adware Issues a Security Certificate
Last month, Lenovo disabled the software from serving ads to users after receiving numerous customer complaints. But those customers may have more to worry about than annoying advertising pop-ups, because Superfish contains a potentially serious security flaw. In order to insert ads, the application has a security certificate on Lenovo systems which says the computer can trust it, even to look at web traffic that may be encrypted — like your online banking information.
Though Lenovo has stated that the application doesn't monitor your online behavior or record any data, giving an advertising program this level of access is a privacy concern, especially because Superfish itself is insecure and easily exploitable by hackers. Because every installation of Superfish is signed by the same private key, anyone with access to that key could potentially exploit Superfish to eavesdrop on your online activities, which would be easy to do on a public network you might find at a coffee shop. Worst of all is that even if you uninstall Superfish, the security certificate remains on your system to be potentially exploited. (The certificate can be removed as well, but it needs to be done manually, as noted below.)
Lenovo's chief technology officer, Peter Hortensius, admitted to the Wall Street Journal that the company didn't do enough due diligence in the case of Superfish. However, Hortensius also stressed that the security concerns are still only theoretical and that the company has "no insight that anything nefarious has occurred." Still, Lenovo issued a Security Advisory on Superfish listing the severity of the risk as "High."
Which Models Are Affected
We recommend checking your computer for Superfish if you purchased a laptop from Lenovo at the end of 2014 and early 2015. Models that may have come with Superfish pre-installed include:
- G Series: G410, G510, G710, G40-70, G50-70, G40-30, G50-30, G40-45, G50-45
- U Series: U330P, U430P, U330Touch, U430Touch, U530Touch
- Y Series: Y430P, Y40-70, Y50-70
- Z Series: Z40-75, Z50-75, Z40-70, Z50-70
- S Series: S310, S410, S40-70, S415, S415Touch, S20-30, S20-30Touch
- Flex Series: Flex2 14D, Flex2 15D, Flex2 14, Flex2 15, Flex2 14(BTM), Flex2 15(BTM), Flex 10
- MIIX Series: MIIX2-8, MIIX2-10, MIIX2-11
- YOGA Series: YOGA2Pro-13, YOGA2-13, YOGA2-11BTM, YOGA2-11HSW
- E Series: E10-30
However, the easiest way to find out if you're affected by Superfish is to use LastPass's online Superfish check. If this tells you that you do have Superfish installed, you can uninstall the software and the certificates by following Lenovo's instructions. If these instructions are a little too complicated, Lenovo has promised that an uninstall tool is coming soon.
Have you been affected by Superfish? What are you doing about it? Let us know in the comments below.