Lenovo apologizes for pre-loaded insecure adware "Superfish"
Lenovo, the world's largest PC manufacturer, has apologized for security flaws in the malware they pre-install on consumer laptops, and attempted to issue instructions on how to fix a flaw that fatally compromised user security. The company was forced to issue a second set of instructions after security experts said that following its first set would do nothing to patch up the security holes the adware created. But even the second set is "incomplete", according to researchers, and leaves users of the popular Firefox browser vulnerable.
Sadly, while apologizing for the security hole the software opens up, they are standing by their pre-installed malware, saying "this tool was to help enhance our users' shopping experience". The software bombarded affected users with pop-up adverts and injected more ads into Google searches. Security experts say it also left a gaping security hole on every computer, in the form of a self-signed root certificate. That certificate was used by the software to inject adverts even into encrypted websites, but its presence has the side-effect of making affected Lenovo computers trivially easy to hack with a "man in the middle" (MITM) attack, in which a hacker uses the certificate to pretend to be a trusted website, such as a bank or e-commerce site. The "man in the middle" can then steal information passed over the internet, even while the user believes they are safely browsing with encryption turned on. Filippo Valsorda, who created the Badfish tool for determining if a computer is affected by the software, has offered instructions for how to remove it from that browser as well.
Sadly, while apologizing for the security hole the software opens up, they are standing by their pre-installed malware, saying "this tool was to help enhance our users' shopping experience". The software bombarded affected users with pop-up adverts and injected more ads into Google searches. Security experts say it also left a gaping security hole on every computer, in the form of a self-signed root certificate. That certificate was used by the software to inject adverts even into encrypted websites, but its presence has the side-effect of making affected Lenovo computers trivially easy to hack with a "man in the middle" (MITM) attack, in which a hacker uses the certificate to pretend to be a trusted website, such as a bank or e-commerce site. The "man in the middle" can then steal information passed over the internet, even while the user believes they are safely browsing with encryption turned on. Filippo Valsorda, who created the Badfish tool for determining if a computer is affected by the software, has offered instructions for how to remove it from that browser as well.
The last times the company I work for had to do with Lenovo we have just had trouble:
- Two months for changing a DVD station under warranty.
- Lenovos own automatic update installed a faulty version of the BIOS bricking the motherboard. Because it bricked all motherboards of the same model, they could not fix them fast enough for everybody all around the globe so we had to be without computer for a long time.
How is it even possible to have so low quality control that a faulty version of a BIOS is reaching automatic updates?