Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Lenovo releases tool to purge Superfish 'crapware'

Gregg Keizer | Feb. 23, 2015
Confirms it's working with McAfee and Microsoft to remove self-signed certificate, and isolate or delete the adware.

malware keyboard skull and crossbones

Lenovo late Friday released a promised tool to delete the Superfish Visual Discovery adware from its consumer PCs.

The tool automates the manual process that Lenovo described earlier in the week after the Superfish "crapware" exploded in its face. The same tool also deletes the self-signed certificate that experts said was a huge security threat to anyone with a Superfish-equipped Lenovo system.

Lenovo confirmed that it is working with two of its partners, antivirus vendor McAfee and Windows-maker Microsoft, to automatically scrub or isolate Superfish and remove the certificate, for those customers who do not hear about its cleaning tool.

"We are working with McAfee and Microsoft to have the Superfish software and certificate quarantined or removed using their industry-leading tools and technologies," Lenovo said in a statement. "These actions have already started and will automatically fix the vulnerability even for users who are not currently aware of the problem."

The reference to already-begun efforts pertain to Microsoft's decision Friday to issue an anti-malware signature for its free Windows Defender and Security Essentials programs, then push the signature to Windows PCs running that software.

Ironically, McAfee's Internet Security is another pre-loaded program Lenovo adds to its consumer PCs and 2-in-1s. Those programs, called "bloatware," "junkware" and "crapware," are factory-installed by Lenovo to generate revenue. Lenovo places a 30-day trial of McAfee Internet Security on its consumer PCs, for example, then gets a cut of the money customers spend to upgrade the trial to a paid subscription.

Security experts have called on Lenovo, and the PC industry in general, to halt the practice of pre-loading third-party software on their machines. "Bloatware needs to stop," said Ken Westin, security analyst at security firm Tripwire, in a Thursday interview. Westin and others argued that crapware poses security and privacy threats, something Superfish illustrated all too well.

The issue with Superfish was how it injected ads into secure websites, like Google.

To serve ads on encrypted websites, Superfish installed a self-signed root certificate into the Windows certificate store, as well as into Mozilla's certificate store for the Firefox browser and Thunderbird email client. That Superfish certificate then re-signed all certificates presented by domains using HTTPS. That meant a browser trusted all the fake certificates generated by Superfish, which was effectively conducting a classic "man-in-the-middle" (MITM) attack able to spy on supposedly secure traffic between a browser and a server.

At that point, all hackers needed to do was crack the password for the Superfish certificate to launch their own MITM attacks by, for example, duping Lenovo PC users into connecting to a malicious Wi-Fi hotspot in a public place, like a coffee shop or airport.

 

1  2  Next Page 

Sign up for CIO Asia eNewsletters.