Lenovo shipping PCs with pre-installed Superfish adware

Posted on Thursday, Feb 19 2015 @ 14:34 CET by Thomas De Maesschalck
Lenovo logo
Lenovo landed itself in hot water as reports hit the web that the Chinese PC builder is pre-installing Superfish adware on new consumer PCs! This piece of software not only injects third-party ads in your browser but is also horribly insecure. The Verge writes Superfish potentially allows hackers to capture data transmitted over SSL connections as the program creates its own SSL certificates:
Security expert Kenn White showed Superfish's proxy certificates in action in a Twitter post today. White's photo shows a certificate issued to Bank of America, but issued by Superfish, rather than by a trusted root certificate authority such as VeriSign. The nature of Superfish, a program capable of checking web traffic and sending that data onwards for advertising purposes, means that hackers could potentially access information transmitted across supposedly secure connections — online stores and banking sites, for example, that have https:// in their URLs, and display a lock in users' browsers
Superfish has used the same private key for its root certificate on every Lenovo PC that comes preloaded with its adware. If someone was able to crack this key, hackers could create certificates or malware that all Lenovo machines would trust.



Lenovo defends its actions, claiming Superfish's technology is innocuous, but says it's no longer pre-installing the adware on new PCs and the existing copies will be removed via a software update.


About the Author

Thomas De Maesschalck

Thomas has been messing with computer since early childhood and firmly believes the Internet is the best thing since sliced bread. Enjoys playing with new tech, is fascinated by science, and passionate about financial markets. When not behind a computer, he can be found with running shoes on or lifting heavy weights in the weight room.



Loading Comments