Well, the crapware certainly hit the fan.
That was the take by security professionals Thursday, who called on Lenovo — and other PC makers — to stop the practice of loading third-party software on new PCs.
"Bloatware needs to stop," said Ken Westin, security analyst from security firm Tripwire, in an interview. "Companies like Apple, which sell their products on their own merits, they don't sell out their customers with this adware crap."
The practice of pre-installing software on new machines is so widespread, and has been going on so long, that it has well-worn labels, like Westin's "bloatware" or the cruder but more descriptive "crapware." Device OEMs (original equipment manufactures) load such software for financial reasons, cutting prices on the hardware so drastically — usually in an effort to keep pace with rivals — that the money earned from software makers is sometimes the difference between profit and loss.
OEMs are paid to load the software onto their PCs — developers fork over money to get their programs in front of users — and earn revenue when consumers pony up to extend the trial periods of those pre-loaded applications that come with expiration dates.
But with the latest Lenovo fiasco, crapware-as-a-security-threat has triggered a blowback much greater than the contempt and ridicule formerly assigned it by consumers. And that's going to hurt the China-based PC maker.
"We need to be able to trust our brands," said Westin. "But that's very difficult here. What else have they deployed on their PCs? When they pull this kind of stuff, I know I don't want to buy a Lenovo."
Westin and others were reacting to the stance Lenovo initially took Thursday when it denied that Superfish Visual Discovery, a pre-loaded adware program billed as an image search tool that would "help customers potentially discover interesting products while shopping," was a security threat.
"We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns," Lenovo said in a Thursday statement that was subsequently altered to drop that line.
By the end of the day, Lenovo had backtracked, with its CTO, Peter Hortensius, admitting to IDG News Service — like Computerworld>, a part of IDG — that the company had "messed up badly."
Hortensius said that Lenovo wasn't aware of Superfish's vulnerability to abuse by cyber criminals until it was publicly disclosed by security researchers. Google security engineer Chris Palmer, launched a vigorous Twitter discussion on Wednesday after buying a new Lenovo laptop, and Robert Graham, CTO of Errata Security, outlined how he cracked the certificate's password in a Thursday blog post.
Superfish had been installed on a slew of Lenovo consumer-grade personal computers and 2-in-1s from September through December 2014. The OEM did not disclose the number of affected PCs, but listed the models, which included those in the E, G, S, U, Y and Z series, as well as ones in the Flex, MIIX and Yoga lines.
Sign up for CIO Asia eNewsletters.