Still smarting from HTTPS-busting Superfish debacle, Lenovo says sorry

Lenovo's top technical executive apologized once again for pre-installing laptops with software that intercepted customers' encrypted Web traffic, and the company has gone on to outline plans to ensure that similar mistakes don't happen again.

"This software frustrated some users without adding value to the experience so we were in the process of removing it from our preloads," Lenovo CTO Peter Hortensius wrote in an open letter published Monday afternoon. "Then, we saw published reports about a security vulnerability created by this software and have taken immediate action to remove it. Clearly this issue has caused concern among our customers, partners, and those who care about Lenovo, our industry and technology in general. For this, I would like to again apologize."

Hortensius went on to enumerate the ways affected customers can remove Superfish software, which installs a dangerous Secure Sockets Layer credential in the root certificate authority folder of affected PCs. In addition to an automated removal tool created and distributed by Lenovo, antivirus software from Microsoft, McAfee, and Symantec will also detect and remove the threat. Hortensius said that Lenovo plans to release an updated system for addressing software vulnerabilities and security threats. Options include creating a "cleaner PC image," working with customers and security professionals to create a better policy for pre-installed software, and "soliciting and assessing the opinions of even our harshest critics" as they relate to product security.

Read 2 remaining paragraphs | Comments