Lenovo admits to Superfish screw-up, will release clean-up tool

The company confirmed that a software program preloaded on some of its laptops exposes users to potential attacks

Lenovo has admitted it "messed up badly" by pre-loading software on some consumer laptops that exposed users to possible attack, and said it will soon release a tool to remove it.

"I have a bunch of very embarrassed engineers on my staff right now," Lenovo CTO Peter Hortensius said in an interview Thursday. "They missed this."

Users have been complaining since September about the third-party program, called Superfish, which injects product recommendations into search results. But it only emerged Wednesday that the program also opens a serious security hole.

The program interferes with SSL-encrypted Web traffic by installing its own root certificate in the trusted certificate store used by browsers. It then uses it to generate SSL certificates for HTTPS-enabled websites when they are visited by users. This allows it to act as a man-in-the-middle proxy between users and those secure websites.

Security experts discovered that the certificate's private key can be recovered by reverse-engineering the software, enabling malicious hackers to launch man-in-the-middle attacks when users connect to public Wi-Fi hotspots or compromised networks. This was confirmed by Robert Graham, CTO of Errata Security, who managed to extract the private key.

The fact that Superfish has left users vulnerable to attack is unacceptable, Hortensius said. He said Lenovo wasn't aware of the vulnerability until it was publicly disclosed.

The company is working to "make this right," he said. It has already published instructions for how users can remove Superfish, and it will soon release a clean-up tool that will uninstall the program and delete the root certificate it created. The tool could be released as early as later today.

Lenovo is also investigating ways to deliver the tool as an automatic patch, possibly through partners such as Microsoft and McAfee, instead of relying on users to download it from its website. It's also looking at how it might be able to remove the software from the "preload" of the affected laptops -- the Windows deployment preloaded with drivers and software that's stored on the hidden recovery partition and used for factory resets.

Making this right also means setting up mechanisms to ensure something like this doesn't happen again, Hortensius said. "We'll make sure to have a much more detailed understanding of programs that go on our preload and they will not go if we think they're open to attack."

In the meantime, Lenovo has been in contact with browser and antivirus vendors to discuss ways of fixing the issue.

Browser vendors will likely add the Superfish root certificate to their blacklists, which would prevent it from being trusted by browsers even if it's not removed. However, there are other programs that use encryption, like VPN clients, that rely on the Windows certificate store to establish trust and to validate the certificates they receive. Those could be open to attack as well, if the Superfish certificate is not removed.

Initially, Firefox users were thought to be unaffected, because Firefox uses its own certificate root store rather than the one in Windows. However, the Electronic Frontier Foundation discovered 44,000 man-in-the-middle certificates signed by the same Superfish root certificate through its Decentralized SSL Observatory project, which collects data from Firefox browsers that have the HTTPS Everywhere extension installed.

"This either indicates that Superfish also injects its certificate into the Firefox root store, or that on a large number of occasions Firefox users have been clicking through certificate warnings caused by Superfish MITM attacks," the EFF said in a blog post.

"At the end of the day, we messed up badly," Hortensius said. "There is no other way to say it. We're not trying to hide. We're trying to do everything we can do to solve the problem for people and subsequently make sure this doesn't happen again."

According to Lenovo, the Superfish software was only installed on some consumer laptops sold through retail stores between September and January. The company stopped preloading the software after receiving negative feedback from users and asked Superfish to remotely disable the service for existing installations.

However, while this stopped the intrusive product recommendations, it did not remove the software or the root certificate it created. In fact, Lenovo confirmed that even if the software is uninstalled manually, the root certificate, and hence the vulnerability, is left behind. That's why the company plans to release the separate clean-up tool.

Laptops that may have come preloaded with the Superfish software are in the company's G Series, U Series, Y Series, Z Series, S Series, Flex Series, MIIX Series, YOGA Series and E Series. A complete list of potentially affected models is here.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags patchesonline safetysecurityencryptionLenovoSuperfishExploits / vulnerabilitiesmalware

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?