Lenovo shipping PCs with pre-installed Superfish adware

Lenovo landed itself in hot water as reports hit the web that the Chinese PC builder is pre-installing Superfish adware on new consumer PCs! This piece of software not only injects third-party ads in your browser but is also horribly insecure. The Verge writes Superfish potentially allows hackers to capture data transmitted over SSL connections as the program creates its own SSL certificates:

Security expert Kenn White showed Superfish's proxy certificates in action in a Twitter post today. White's photo shows a certificate issued to Bank of America, but issued by Superfish, rather than by a trusted root certificate authority such as VeriSign. The nature of Superfish, a program capable of checking web traffic and sending that data onwards for advertising purposes, means that hackers could potentially access information transmitted across supposedly secure connections — online stores and banking sites, for example, that have https:// in their URLs, and display a lock in users' browsers

Superfish has used the same private key for its root certificate on every Lenovo PC that comes preloaded with its adware. If someone was able to crack this key, hackers could create certificates or malware that all Lenovo machines would trust.

This is a problem. #superfish pic.twitter.com/jKDfSo99ZR

— Kenn White (@kennwhite) February 19, 2015

Lenovo defends its actions, claiming Superfish's technology is innocuous, but says it's no longer pre-installing the adware on new PCs and the existing copies will be removed via a software update.