Story 2015-02-20 3GD2 Lenovo apologizes for pre-loaded insecure adware "Superfish"

Lenovo apologizes for pre-loaded insecure adware "Superfish"

by
in microsoft on (#3GD2)
Lenovo, the world's largest PC manufacturer, has apologized for security flaws in the malware they pre-install on consumer laptops, and attempted to issue instructions on how to fix a flaw that fatally compromised user security. The company was forced to issue a second set of instructions after security experts said that following its first set would do nothing to patch up the security holes the adware created. But even the second set is "incomplete", according to researchers, and leaves users of the popular Firefox browser vulnerable.

Sadly, while apologizing for the security hole the software opens up, they are standing by their pre-installed malware, saying "this tool was to help enhance our users' shopping experience". The software bombarded affected users with pop-up adverts and injected more ads into Google searches. Security experts say it also left a gaping security hole on every computer, in the form of a self-signed root certificate. That certificate was used by the software to inject adverts even into encrypted websites, but its presence has the side-effect of making affected Lenovo computers trivially easy to hack with a "man in the middle" (MITM) attack, in which a hacker uses the certificate to pretend to be a trusted website, such as a bank or e-commerce site. The "man in the middle" can then steal information passed over the internet, even while the user believes they are safely browsing with encryption turned on. Filippo Valsorda, who created the Badfish tool for determining if a computer is affected by the software, has offered instructions for how to remove it from that browser as well.
Reply 13 comments

They should make a warning commercial for TV like drug makers do when their drugs are found to be BA (Score: 0)

by Anonymous Coward on 2015-02-20 20:56 (#3GDT)

but that would never be, especially in the Land of The Free!

gparted (Score: 0)

by Anonymous Coward on 2015-02-20 23:06 (#3GKP)

So, like what if I just trash the partitions with a bootable live ISO?

As long as it runs Linux, I don't honestly give a shit about Lenovo crapware.

Re: gparted (Score: 2)

by nightsky30@pipedot.org on 2015-02-20 23:44 (#3GMG)

More than acceptable :)

And kudos to Filippo for helping all the users out there that do not have the expertise to reinstall the same OS or install a different OS such as Linux. Although, helping them install and learn Linux would be even nicer than that malware of an OS that shipped with the systems.

Re: gparted (Score: 2, Interesting)

by Anonymous Coward on 2015-02-21 00:02 (#3GP1)

use the secure-delete package instead of something like DBAN or another Windows wiping tool.

"Description: tools to wipe files, free disk space, swap and memory
Even if you overwrite a file 10+ times, it can still be recovered. This
package contains tools to securely wipe data from files, free disk space,
swap and memory."

Once DBAN was recommended by many, but it appears to have been snatched up
by a company and depending on many factors, including whether or not the
company involved is located in the US, I'm sure it's been hobbled by now.
I would not trust DBAN.

I would not trust other Windows wiping tools for many reasons, one because
you'd be using Windows, two I've heard of these programs being modified by
malware after installation and rendered useless. They will go through the
motions but not wipe everything or in some instances, wipe nothing!

use 'hexdump -C drivenameyouwiped | less' following the wiping using
secure-delete.

you can also use the 'dd' command to add additional wipes if you're
paranoid.

before you feel your job is done, i'll just leave this here
for your consideration:

---DCO and HPA (Host Protected Area of HDDs)---------
http://en.wikipedia.org/wiki/Host_protected_area
http://www.forensicswiki.org/wiki/DCO_and_HPA
http://hddguru.com/software/2005.10.02-MHDD/
http://hddguru.com/software/2006.01.20-Hitachi-Drive-Feature-Tool/
http://hddguru.com/software/2007.07.20-HDD-Capacity-Restore-Tool/
http://www.itsecure.at/hparemove-v0-2/
http://www.sleuthkit.org/informer/sleuthkit-informer-17.html#hpa
-----------------------------------------------------

How the mighty have fallen (Score: 2, Insightful)

by fishybell@pipedot.org on 2015-02-21 08:10 (#3H4E)

I take it as a sign of the times how far the once mighty Lenovo (in pseudo-proxy-of the once mighty IBM) has fallen

I loved my first IBM Thinkpad: full of reliableness and gusto. I type this now on my chiclet stricken, touchpad button missing (although I never use the touchpad: long live the nub!), X1 Carbon. I look at even the very next generation of X1 Carbons and see faults that would make me -- a true believer -- second guess the company's strategy.

I recommended an Ideapad to my less-than-tech-savvy friend. When it experienced its first problems I shrugged them off as the fault of Microsoft. When the problems became persistent -- for example, an incompatibility between the wifi driver and Google Fiber's router -- I started to see the Lenovo of now for what they are: a memory of what once was.

Re: How the mighty have fallen (Score: 2, Interesting)

by engblom@pipedot.org on 2015-02-21 09:14 (#3H6Q)

Indeed, they have fallen and deep. The build quality is definitely not the same good as before. You clearly see they are weaker made.
The last times the company I work for had to do with Lenovo we have just had trouble:
- Two months for changing a DVD station under warranty.
- Lenovos own automatic update installed a faulty version of the BIOS bricking the motherboard. Because it bricked all motherboards of the same model, they could not fix them fast enough for everybody all around the globe so we had to be without computer for a long time.

How is it even possible to have so low quality control that a faulty version of a BIOS is reaching automatic updates?

Ni hao. We're really sorry you noticed our spyware... (Score: 1)

by entropy@pipedot.org on 2015-02-21 14:58 (#3HKH)

We promise to be more diligent and not let you find it again.

Another Sony debacle (Score: 0)

by Anonymous Coward on 2015-02-22 03:10 (#3JE8)

How much before this type of action is illegal or at least warrants full immediate cash compensation

Better Laptop Option (Score: 1)

by zenbi@pipedot.org on 2015-02-22 12:53 (#3K0E)

I don't have a laptop, nor any real need of one, but if I did, I would look into these guys instead of hanging on to the long lost Thinkpad era.

Re: Better Laptop Option (Score: 1)

by nightsky30@pipedot.org on 2015-02-22 18:23 (#3KPH)

I saw that, and it is interesting. But I can't understand why the CD/DVD ROM only drive. What about DVD Dual Layer and Blu-Ray? Is a CD/DVD/Blu-Ray re-writer forbiddingly different somehow? That's a lot for a laptop that can't write DVD's or recognize Blu-Ray.

Re: Better Laptop Option (Score: 1)

by nightsky30@pipedot.org on 2015-02-22 18:28 (#3KPJ)

Upon checking the right support column, it appears you can get other options for more $$$

SONY BMG ROOTKIT (Score: 0)

by Anonymous Coward on 2015-02-23 00:58 (#3M3T)

Let's revisit the SONY BMG ROOTKIT for a moment, and read/listen to a quote from Thomas Hesse:

"Most people don't even know what a rootkit is, so why should they care about it?" - Thomas Hesse, President, Global digital business, Sony BMG

Listen:

http://www.f-secure.com/weblog/archives/they_dont_know_so_why_should_they_care.wav

http://www.f-secure.com/weblog/archives/00000703.html

See ya (Score: 1)

by zafiro17@pipedot.org on 2015-02-25 16:50 (#3T81)

No worries Lenovo, I accept your apology. But I will also never again consider one of your machines. I need to trust my hardware manufacturer, and now thanks to your ass-hattedness, I no longer trust you.

Whichever dumbass middle manager thought this would be a great revenue earner for you should be made to fall on his own sword and then fed to a pool of sharks. The trust of your clients is worth more than a little ad money. How could you all have been so stupid?

Anyway, enjoy irrelevance. Your brand is tarnished. Maybe you and Sony should get together and have a party? You're made for each other - you both screwed the pooch in the same way.