Initially, Firefox users were thought to be unaffected, because Firefox uses its own certificate root store rather than the one in Windows. However, the Electronic Frontier Foundation discovered 44,000 man-in-the-middle certificates signed by the same Superfish root certificate through its Decentralized SSL Observatory project, which collects data from Firefox browsers that have the HTTPS Everywhere extension installed.
"This either indicates that Superfish also injects its certificate into the Firefox root store, or that on a large number of occasions Firefox users have been clicking through certificate warnings caused by Superfish MITM attacks," the EFF said in a blog post.
"At the end of the day, we messed up badly," Hortensius said. "There is no other way to say it. We're not trying to hide. We're trying to do everything we can do to solve the problem for people and subsequently make sure this doesn't happen again."
According to Lenovo, the Superfish software was only installed on some consumer laptops sold through retail stores between September and January. The company stopped preloading the software after receiving negative feedback from users and asked Superfish to remotely disable the service for existing installations.
However, while this stopped the intrusive product recommendations, it did not remove the software or the root certificate it created. In fact, Lenovo confirmed that even if the software is uninstalled manually, the root certificate, and hence the vulnerability, is left behind. That's why the company plans to release the separate clean-up tool.
Laptops that may have come preloaded with the Superfish software are in the company's G Series, U Series, Y Series, Z Series, S Series, Flex Series, MIIX Series, YOGA Series and E Series. A complete list of potentially affected models is here.
Sign up for CIO Asia eNewsletters.