Cracking the password proved laughably easy, and within hours it was circulating on the Internet.
Westin called Lenovo's adding Superfish to its PCs "a betrayal of trust" and predicted that the Chinese OEM (original equipment manufacturer) would suffer a hit to both its reputation and sales. "When they pull this kind of stuff, I know I don't want to buy a Lenovo," Westin said.
Since the vulnerability posed by Superfish went public, Lenovo has scrambled to repair the damage caused not only by the crapware, but its initially tone-deaf denial that the software was a security problem.
In the Friday statement, Lenovo continued to claim that it had been in the dark. "We did not know about this potential security vulnerability until yesterday," the company said.
That doesn't let Lenovo off the hook, said Andrew Storms, vice president of security services at New Context, a San Francisco-based security consultancy. "What's in question here is what, if any, due diligence is performed by the manufacturers before agreeing to pre-install applications," Storms said. "What's the vetting process aside from 'How much is the third party willing to pay us?'"
Lenovo did not detail how McAfee or Microsoft might help disseminate the Superfish clean-up tool or assist in removing the application and certificate. But its use of the word "quarantine" hints that McAfee would issue its own anti-malware signature to at least isolate the program. Antivirus programs use that same quarantine practice with suspected malware.
Microsoft, in turn, could issue an update that revoked the Superfish certificate, essentially removing it from the Windows certificate store. The Redmond, Wash. company has done that in the past when certificates have been obtained illegally.
Google's Chrome, Microsoft's Internet Explorer (IE) and Opera Software's Opera use the Windows certificate store to encrypt traffic to and from Windows PCs. Even so, Google and Opera would likely issue their own revocation updates.
Mozilla is already working on revoking the Superfish certificate from the Firefox and Thunderbird certificate stores, but has not finalized plans, according to Bugzilla, the open-source developer's bug- and fix-tracker.
Lenovo's Superfish cleaning tool and updated manual removal instructions -- which now include Firefox -- can be found on its website.
Sign up for CIO Asia eNewsletters.