How could Lenovo have Missed Preloaded Superfish Adware’s Obvious Security Risk?


Superfish is probably the most annoying kind of invasive malware so why did Lenovo think it was going to go unnoticed? It’s actually worse than that. Lenovo claims they thought the Superfish software would be welcome and useful. If you aren’t a programmer or a web marketer you might not even understand what Superfish does at first glance. Basically, it can interject third party, paid advertising onto webpages that are otherwise encrypted. For example, you could have pop up ads or banner ads that weren’t sanctioned by your private bank show up on your online banking homepage. Adware of this nature breaks the usual http connections and can easily be exploited by anyone, not just advertisers who have a deal with Lenovo. Since Lenovo denied including the software on computers sold after December 2014, only to have indy security research personnel find Superfish on computers shipped after 2015, the scandal is going to creep among hackers, nerds and programmers while the rest of the world becomes that much less secure.

We have temporarily removed Superfish from our consumer systems until such time as Superfish is able to provide a software build that addresses these issues. As for units already in market, we have requested that Superfish auto-update a fix that addresses these issues.

 

Uh, yeah, temporarily removed, but does anyone even really want superfish on their Lenovo?

At first glance, Lenovo handled this issue in a professional manner as if it was all a big mistake. The further the software is discussed, dissected and examined, the less plausible the claim of an accidental security risk has become. Naturally, assurances from the dealer are not going to assuage fears completely, and rightly so, considering reports of computers having the software uninstalled, leaving elements of the code present to affect pop up ads and potentially leave the machine at risk. Serious damage to Lenovo’s rep aside, this is actually a big-picture win for consumers, who are seeing a hardware manufacturer backpedal out of a terrible move, hopefully setting precedent.

So what the heck was Superfish intended to actually DO?

Superfish is a “Visual Discovery browser add-on”, available on Lenovo consumer products excliusively. Superfish is uses an image search engine to supposedly help the user find products based on the appearance of said product. It does this by analyzing online images  an markets identical and similar products in real time. The advantage is supposed to be that the user can search images while also being offered lower priced goods.

 

The software is cutting edge, searching 100% algorithmically without relying on text tags or human expeditors. If you show an interest in a product, superfish will already be hunting down a better deal. Lenovo insists:

 

Superfish technology is purely based on contextual/image and not behavioral. It does not profile nor monitor user behavior.  It does not record user information. It does not know who the user is. Users are not tracked nor re-targeted.  Every session is independent. When using Superfish for the first time, the user is presented the Terms of User and Privacy Policy, and has option not to accept these terms, i.e., Superfish is then disabled.

Yet, the visual search aspect of the program isn’t really dependant on Superfish’s disturbing ability to falsely sign security certificates. If it is a great search method and helps people find deals they didn’t ask for, that sounds cool yet annoying but is there any reason why it needs to see or interact with pages attempting to remain secure? Nope.

Because Lenovo has computers shipped to distributors with multiple methods of uninstalling the software, and some computers that were shipped before the uninstallation attempt, some machines still come with Superfish pre-installed. Lenovo had a rep post in a forum that Superfish has been uninstalled but had a shady excuse that there were “some issues (browser pop up behavior for example)” as the reason. Lenovo twitter account reiterated that the machines should be safe now. Regardless of their official stance via social media, it’s clearly still possible to buy Lenovo PCs that have superfish pre-installed. There has yet to be an update download from Lenovo or otherwise that can help get rid of the adware. Do PCs from other manufacturers pre-install Superfish or other invasive security risks, inadvertently or otherwise? Regardless, if you uninstall Superfish adware from your machines, a Superfish root certificate will remain, leaving your computer at risk to third party hacking.

World Cyberwar: Six Internet News Stories in 2015 Blur the Line Between Sci Fi and Reality

Jonathan Howard
Jonathan is a freelance writer living in Brooklyn, NY
on Twitter