Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Lenovo PCs ship with adware that puts computers at risk

Lucian Constantin | Feb. 23, 2015
Some Windows laptops made by Lenovo come pre-loaded with an adware program that exposes users to security risks.

It's also not clear why Superfish is using the certificate to perform a man-in-the-middle attack on all HTTPS websites, not just search engines. A screen shot posted by security expert Kenn White on Twitter shows a certificate generated by Superfish for www.bankofamerica.com.

Superfish did not immediately respond to a request for comment.

Mozilla is considering ways to block the Superfish certificate in Firefox, even though Firefox does not trust certificates installed in Windows and uses it's own certificate store, unlike Google Chrome and Internet Explorer.

"Lenovo removed Superfish from the preloads of new consumer systems in January 2015," a Lenovo representative said in an emailed statement. "At the same time Superfish disabled existing Lenovo machines in market from activating Superfish."

The software was only preloaded on a select number of consumer PCs, the representative said, without naming those models. The company is "thoroughly investigating all and any new concerns raised regarding Superfish," she said.

It seems that this has been happening for a while. There are reports about Superfish on the Lenovo community forum going back to September 2014.

"Preinstalled software is always a concern because there's often no easy way for a buyer to know what that software is doing -- or if removing it will cause system problems further down the line," said Chris Boyd, a malware intelligence analyst at Malwarebytes, via email.

Boyd advises users to uninstall Superfish, then to type certmgr.msc into the Windows search bar, open the program and remove the Superfish root certificate from there.

"With increasingly security and privacy conscious buyers, laptop and mobile phone manufacturers may well be doing themselves a disservice by seeking outdated advertising based monetization strategies," said Ken Westin, a senior security analyst at Tripwire. "If the findings are true and Lenovo is installing their own self-signed certificates, they have not only betrayed their customers' trust, but also put them at increased risk."

 

Previous Page  1  2 

Sign up for CIO Asia eNewsletters.