The story of Lenovo computers sold with a pre-installed program called Superfish which has the unwelcome consequence of catastrophically undermining their security created quite a stir. This software was provided for a time with the new computers as a specific decision by Lenovo and only now it’s been recognized as a threat.

Unfortunately it’s become normal to buy new brand PCs that have preinstalled not only Windows but also various software that are sometimes of dubious value. Terms like bloatware or crapware are often used for these software because all too often they’re low quality programs that use a lot of memory and give problems so that they end up doing more harm than good.

The Superfish software falls into the adware category because it intercepts user activities such as Google searches and uses them to propose the user adverts related to the search. It’s no coincidence that adware typically surreptitiously sneak into a system, sometimes being installed along with other programs but sometimes as real malware.

The fact that such a program was voluntarily preinstalled on a new computer by its manufacturer is a fact that in itself is disturbing. The vulnerability caused by the program without Lenovo realizing it since the beginning is an extremely serious matter because today security should be more than ever a priority for any manufacturer.

In simple words, the most serious problem is that Superfish also intercepts encrypted connections, those made using https to connect to a site, using its own security certificate. The program doesn’t just monitor searches but for example can monitor a connection to your bank.

According to EFF (Electronic Frontier Foundation), the security certificates of all copies of Superfish have the same signature. This means that an attacker can just manage to steal it from a user to be able to have access to connections in theory protected from other people who are using a computer with Superfish active.

Technically, this is called man in the middle attack – MITM or MIM – because the attacker intercepts messages between two parties that are communicating with each other. For Lenovo computers it’s Superfish that acts as a man in the middle and can be exploited for an attack of that kind.

Lenovo preinstalled Superfish for a few weeks between October and December 2014. The customers’ complaints concerning the unwanted adverts were enough to change the company’s mind but now the problem is far more serious than the annoyance of seeing unsolicited adverts.

Lenovo’s CTO (chief technology officer) Peter Hortensius told the Wall Street Journal that the company is working to create software that eliminates all traces of Superfish from the PCs it’s installed on. The adware can be uninstalled by the standard Windows procedures but leaves many traces in the system.

In the past few hours, the removal software was put online with the promise that removes all Superfish traces. It was installed on various models (photo of a Lenovo Yoga 2 Pro ©Yaoj1) and on this page you can check if your computer has the Lenovo adware active. For those who prefer to manually delete Superfish, there are instructions for doing so. Let’s hope that at least this time Lenovo did things with care!

More than enything, let’s hope that the problem can be solved for good but that’s a real disaster. Initially, Lenovo even tried to defend its choice talking about the Superfish’s alleged usefulness minimizing its security risks. It was a work of public relations and eventually the company had to admit the mistake and apologize.

This case clearly shows what can happen when a manufacturer preinstalls a third-party software on its computers. Lenovo claims not to have gained significant money to preinstall Superfish. If that’s true, it suffered a terrible blow to it image for nothing and we’ll see exactly the consequences for the company only with time.

This is an extreme case but it really should be a lesson to all computer manufacturers. Too many bloatware and crapware are preinstalled which luckily usually don’t create security problems but are still annoying in various ways. However, I fear that the Lenovo / Superfish case won’t change things.

[ad name=”AmazonComputerAndInternet”]