1. Akshay Masand's Avatar


    The Chinese PC manufacturer, Lenovo, seems to have found itself in the middle of a public relations disaster after it was discovered that it sold a notebook computers with pre-installed software that hijacks users’ browser sessions to inject customized advertisements and seriously degrades the security of encrypted connections. The software which was identified as being named Superfish, is supposed to be a contextual search platform that has been shown to act as a transparent proxy for requests following through browsers on Lenovo machines. It is set to analyze the content of websites, inserting advertisements that it considers relevant.

    In an effort to access HTTPS requests, Superfish also comes loaded with a self-signed root certificate. It functions by signing using this self-signed root certificate instead of the actual certificate of the site owner on pages that are loaded over – a move which allows Superfish to decrypt the contents. This essentially creates a very big security problem. Anyone with the encryption password for the certification, which was easily found by security experts, can extract the private key and perform an attack to intercept the communications of any computer with the certificate installed. Alternatively it can also be used to craft real-looking phishing websites that are in actuality fake.

    Lenovo acknowledged that it had installed Superfish on “some consumer notebooks shipped in a short window between September and December.” The company promised that the backend services powering the ad injection technology have already been disabled and going forward, the company won’t be including Superfish on any future products. That being said, this doesn’t do much to help with the security concerns caused by allowing the installation of a self-signed root certificate in the first place. Despite all of this news, Lenovo doesn’t seem to be worried either. The company ended up saying the following in a statement:

    We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns.
    We’ll have to see how this affects Lenovo in the long run. The issue as a whole could play a role in hurting their sales.

    Source: Errata Security, Lenovo, Twitter (Chris Palmer)

    Twitter: @AkshayMasand
    2015-02-21 11:00 PM
  2. GrandMstrBud's Avatar
    I was thinking about getting a Lenovo, not sure which models were all affected
    2015-02-22 04:11 AM
  3. SpiderManAPV's Avatar
    I was thinking about getting a Lenovo, not sure which models were all affected
    They released a list. Regardless, it's fairly simple to remove from all I've heard. Suffice it to say I'd check before buying anything with them for a while, though.

    ......beware......
    Just your friendly neighborhood Spider-Man!
    2015-02-22 05:23 AM
  4. GrandMstrBud's Avatar
    Probably nothing reloading the OS from scratch wouldn't fix. I sometimes do that to get rid of all the bloatware new PC's come with
    2015-02-23 04:12 AM
  5. Perlova's Avatar
    Probably nothing reloading the OS from scratch wouldn't fix. I sometimes do that to get rid of all the bloatware new PC's come with
    I have had to remove bloatware from HP computers for a long time now.
    "Where are we going and why am I in this handbag?"
    2015-02-26 08:41 PM
LINK TO POST COPIED TO CLIPBOARD