Lenovo apologizes for pre-loaded insecure adware "Superfish"
Lenovo, the world's largest PC manufacturer, has apologized for security flaws in the malware they pre-install on consumer laptops, and attempted to issue instructions on how to fix a flaw that fatally compromised user security. The company was forced to issue a second set of instructions after security experts said that following its first set would do nothing to patch up the security holes the adware created. But even the second set is "incomplete", according to researchers, and leaves users of the popular Firefox browser vulnerable.
Sadly, while apologizing for the security hole the software opens up, they are standing by their pre-installed malware, saying "this tool was to help enhance our users' shopping experience". The software bombarded affected users with pop-up adverts and injected more ads into Google searches. Security experts say it also left a gaping security hole on every computer, in the form of a self-signed root certificate. That certificate was used by the software to inject adverts even into encrypted websites, but its presence has the side-effect of making affected Lenovo computers trivially easy to hack with a "man in the middle" (MITM) attack, in which a hacker uses the certificate to pretend to be a trusted website, such as a bank or e-commerce site. The "man in the middle" can then steal information passed over the internet, even while the user believes they are safely browsing with encryption turned on. Filippo Valsorda, who created the Badfish tool for determining if a computer is affected by the software, has offered instructions for how to remove it from that browser as well.
Sadly, while apologizing for the security hole the software opens up, they are standing by their pre-installed malware, saying "this tool was to help enhance our users' shopping experience". The software bombarded affected users with pop-up adverts and injected more ads into Google searches. Security experts say it also left a gaping security hole on every computer, in the form of a self-signed root certificate. That certificate was used by the software to inject adverts even into encrypted websites, but its presence has the side-effect of making affected Lenovo computers trivially easy to hack with a "man in the middle" (MITM) attack, in which a hacker uses the certificate to pretend to be a trusted website, such as a bank or e-commerce site. The "man in the middle" can then steal information passed over the internet, even while the user believes they are safely browsing with encryption turned on. Filippo Valsorda, who created the Badfish tool for determining if a computer is affected by the software, has offered instructions for how to remove it from that browser as well.
I loved my first IBM Thinkpad: full of reliableness and gusto. I type this now on my chiclet stricken, touchpad button missing (although I never use the touchpad: long live the nub!), X1 Carbon. I look at even the very next generation of X1 Carbons and see faults that would make me -- a true believer -- second guess the company's strategy.
I recommended an Ideapad to my less-than-tech-savvy friend. When it experienced its first problems I shrugged them off as the fault of Microsoft. When the problems became persistent -- for example, an incompatibility between the wifi driver and Google Fiber's router -- I started to see the Lenovo of now for what they are: a memory of what once was.