Update #3 (Feb 21): Lenovo has released an automatic Superfish removal tool. In addition, the company updated their statement regarding the Superfish adware controversy acknowledging the security risks and stating the company is now “focused on fixing” their mistake.
Update #2 (Feb 20): Microsoft has updated Windows Defender so it will remove Superfish adware by default.
Update (Feb 20): Lenovo has issued an official statement this morning (added at the bottom of the story) addressing the controversy surrounding Superfish. According to the company, they haven’t found any evidence to substantiate security concerns, but they’re responding to customer concerns by dropping it from all past and future systems they sell. We’ve added the full statement at the end of this story.
Lenovo has been caught installing a type of adware, known as ‘Superfish’, onto some new consumer laptops that activates when a user powers on and sets up their machine for the first time.
Superfish hijacks your web browser to inject their own selection of ads into webpages, including Google searches. On top of that the adware installs a self-signed certificate authority, which allows it to hijack secure connections such as banking websites, either to serve ads or snoop on users.
This type of behavior, especially hijacking secure connections for whatever purpose, is widely condemned and potentially malicious. Most anti-malware products will warn you against installing Superfish, or block the installer altogether, as its behavior is unwanted and unwarranted.
Bundling adware on new systems is a dodgy and dangerous move for one of the largest PC manufacturers in the world. Lenovo community administrator Mark Hopkins stated that Superfish is merely a helpful tool that “instantly analyzes images on the web and presents identical and similar product offers that may have lower prices”, though its issues are clear and most users don’t want the software installed at all.
When hackers get Superfish root cert private key, they will be able to make their viruses look like Microsoft wrote them to Lenovo customers
— InfoSec Taylor Swift (@SwiftOnSecurity) February 19, 2015
For now, Lenovo has stopped bundling Superfish with new systems, although that’s only until the company behind the adware can tweak it to make it less aggressive. Unless Lenovo has a change of heart, they will continue to bundle the adware with new systems in the near future.
As for those that are affected by Superfish, there are ways to remove the software from your system, though it’s more complex than simply using an uninstaller. Purchasing a Lenovo laptop with Microsoft’s Signature Experience on-board will also prevent Superfish, and any other crapware, from being installed in the first place.
Lenovo has since responded to the controversy with the following statement:
Superfish was previously included on some consumer notebook products shipped in a short window between September and December to help customers potentially discover interesting products while shopping. However, user feedback was not positive, and we responded quickly and decisively:
- Superfish has completely disabled server side interactions (since January) on all Lenovo products so that the product is no longer active. This disables Superfish for all products in market.
- Lenovo stopped preloading the software in January.
- We will not preload this software in the future.
We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns. But we know that users reacted to this issue with concern, and so we have taken direct action to stop shipping any products with this software. We will continue to review what we do and how we do it in order to ensure we put our user needs, experience and priorities first.
To be clear, Superfish technology is purely based on contextual/image and not behavioral. It does not profile nor monitor user behavior. It does not record user information. It does not know who the user is. Users are not tracked nor re-targeted. Every session is independent. Users are given a choice whether or not to use the product. The relationship with Superfish is not financially significant; our goal was to enhance the experience for users. We recognize that the software did not meet that goal and have acted quickly and decisively.
We are providing support on our forums for any user with concerns. Our goal is to find technologies that best serve users. In this case, we have responded quickly to negative feedback, and taken decisive actions to ensure that we address these concerns. If users still wish to take further action, detailed information is available at http://forums.lenovo.com.