Lenovo stopped installing Superfish on its hardware last month, and at the same time disabled the software on all the devices onto which it had been loaded. The firm also promised not to install Superfish in the future. But that still left the software on PCs.
Later Thursday, Lenovo published manual instructions for removing both Superfish and the self-signed certificate that was at the root of the potential abuse. The firm also said it would soon release a tool that would scrub both the application and the certificate from its PCs automatically, and was looking into ways to auto-deliver that tool, perhaps with the help of partners Microsoft and McAfee.
"Lenovo could approach Microsoft and ask to inject a removal tool inside of Windows Update," said Andrew Storms, vice president of security services at New Context, a San Francisco-based security consultancy. "We've seen [Microsoft] do similar things in the past where they have issued killbits on ActiveX components. I suspect that the Malicious [Software] Removal Tool [MSRT] could do it."
MSRT is a Microsoft-made malware deletion tool that is refreshed each month and included with other security updates the company issues on Patch Tuesdays.
Microsoft declined to answer questions about whether it was willing to aid Lenovo, the world's largest PC seller, by using Windows Update.
For Storms, even the promised cleanup tool wouldn't be sufficient, because Lenovo owners would have to hear about it, and then download it themselves. Under those conditions, a large portion of the affected PC owners will continue to run vulnerable systems. "Lenovo needs to take a stand here and offer to remove the software from every computer," said Storms in an interview conducted over instant messaging.
But it was the practice of loading crapware onto computers that drew unanimous ire from security professionals.
"OEMs frequently undermine the security of their systems through third-party software bundles," said HD Moore, the chief research officer at Rapid7 and the creator of the open-source Metasploit penetration framework. "In the PC area, we have all sorts of privacy exposures and flat-out security issues due to unauthenticated third-party software updaters."
Westin echoed Moore, but also pointed out that with data breaches commonplace and reports of nation-state cyber spying increasing, consumers are increasingly sensitive to digital security and privacy issues, as the fast-spreading news of Lenovo's snafu demonstrated. "We're more privacy and security conscious," Westin said. "So when this sneaks past an OEM, there will be a significant impact on sales and their brand. But it's all about, 'How can we monetize these installs?'"
In its statement Thursday, Lenovo claimed that the decision to pre-load Superfish was not financially motivated. "The relationship with Superfish is not financially significant; our goal was to enhance the experience for users," the company said.
Sign up for CIO Asia eNewsletters.