SuperfishComputer manufacturer Lenovo has been caught purposefully selling new computers to consumers with preinstalled adware.  The hidden adware, dubbed Superfish by researchers, embeds itself in internet browsers to deliver popup advertisements based on search terms.

Users have complained about Superfish on new laptops since last fall, but the adware has only come under fire recently with the discovery of a potentially serious security threat.  In addition to serving up targeted marketing, Superfish is able to circumvent SSL/TLS connections thanks to the ability to self-sign internet security certificates.  The vulnerability allows Superfish to conduct a man-in-the-middle (MITM) attack and view the contents of any connections that should be encrypted.  This means that normally safe internet shopping or secured private data sites are made fair game to an attacker.

 Photo Credit Ken White

Self-installing security certificate issued for the Bank of America

Lenovo has stopped preinstalling new Laptops with Superfish but has defended its inclusion, stating that users are presented with the terms of use and privacy policy for the product the first time they use it, and have the option to disable it.  Unfortunately, uninstallation is not as simple as they claim and purchasers have discovered that while uninstalling removes the surface adware, it does not remove the root certificate and still poses a security risk.

Recognizing the severity of the threat, Microsoft has already issued an update to Windows Defender to remove the Superfish root certificate.  If you have purchased a new Lenovo computer within the last six months, you should immediately check that you have the latest Microsoft security updates and preform a scan.  It should be noted, however, that while Windows Defender will remove the offending files from Internet Explorer, it will not actively seek out third party browsers such as Firefox.  If you use a third-party browser you should double check to ensure all remnants of Superfish have been removed.

– Richard Keene
IT Computer Support of New York
Webmaster and Lead Designer