“If you’ve bought a Lenovo laptop anytime since August, it may have shipped with a dangerous bit of adware known as Visual Discovery by Superfish. It’s the kind of software add-on that [Windows PC] computer makers are often paid to include with their hardware,” Robert McMillan reports for Wired. “Superfish exists to serve up ads, but it does so in such a maddeningly dangerous way that it creates a real security problem for Lenovo users.”
“Worse, Lenovo appears completely clueless about the problem,” McMillan reports. “The company issued a statement shortly after security experts raised the issue, saying it stopped shipping the adware last month and customers need not worry about the thing compromising their security. ‘We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns,’ Lenovo said.”
“Robert Graham, the CEO of internet security firm called Errata Security, doesn’t mince words in assessing the situation,” McMillan reports. “‘This is a bald-face[d] lie,’ he says of Lenovo’s statement. ‘It’s obvious that there is a security problem here.’ And Graham knows what he’s talking about. He runs a security consultancy and has documented very real security problems with Superfish… ‘I can intercept the encrypted communications of Superfish’s victims (people with Lenovo laptops) while hanging out near them at a cafe wifi hotspot,’ Graham wrote in a blog post detailing how he did this. Note to Lenovo: This makes Superfish a legitimate security concern.”
Read more in the full article here.
MacDailyNews Take: If you’ve bought a Lenovo laptop anytime… you’ll want to schedule a cranial CT scan pronto.
[Thanks to MacDailyNews Reader “Dan K.” for the heads up.]
Pay me now or pay me later.
My Lenovo ThinkPad I got through my college is the biggest reason I switched to Mac. Terrible, cheaply constructed devices bogged down by their crapware.
and it’s even made in china, what a surprise.
wanna bet the chinese intelligence services might have had a hand in suggesting this bit of spyware, works at home to keep an eye on their own people, and works overseas on anybody else foolish enough to buy one of these machines.
not quite up to nsa standards, but….give them time
Exactly! Never underestimate the abuse Chinese citizens suffer from their own government. 😛
Wow. That’s weird. Lenovo is still a thing? Who knew?
Reminds me of a fun fact I have been intending to bring up here –
Avast AV software alerts you that Google is a “dangerous” search engine. I love it! 🙂
Quick! Get Lenovo Chief Engineer Ashton Kutcher on the phone.
He’ll splain it to you boneheads.
I’m stuck on a Lenovo X230 at my day job and am due to be upgraded to a new Lenovo later this year. Hopefully the adware issue will be over by then.
🙁
I’d definitely tell your IT staff (if any) at your day job to give the Lenovo a going over before they let it loose on your work LAN. One of my brothers still swears by his ThinkPad! *sigh* He too must use Windows boxes due to the nature of his job. Thankfully, he was smart enough to give his daughter a MacBook to take to university.
“It’s not a problem, we’re still making lots of money by pre-installing it on your cheap POS computer. Nothing to see here, move along.”
– Lenovo
The two relevant articles over at Ars Technica (I’ve posted these previously here at MDN), plus two more to follow:
Lenovo PCs ship with man-in-the-middle adware that breaks HTTPS connections [Updated]
Superfish may make it trivial for attackers to spoof any HTTPS website.
Lenovo honestly thought you’d enjoy that Superfish HTTPS spyware
It wasn’t about the money!
The second article linked above contains Lenovo’s original, whitewash statement.
THEN THIS HAPPENED:
Lenovo CTO says, “We didn’t do enough,” promises to wipe Superfish off PCs
Company backs away from earlier claim there was no merit to security concerns.
How to remove the Superfish malware: What Lenovo doesn’t tell you
Uninstalling the software doesn’t undo the damage it does to your system.
This Chinese company dares criticize Apple. Oops. 😛
Imagine…just imagine how this would have been reported if Apple had done something like this.
Torches and pitchforks! Why people put up with this garbage on Windows boxes is beyond my comprehension. But I will say that many abused people, with time, accept the abuse as status quo. I never have. I’m so glad to have a superior alternative.
BTW: Be glad you’re not where I live Arnold. You’d have trouble finding your tail today! Minus 20º F wind chill. Total retraction. 😉
Hoo boy. Now, that’s cold. It’s 60˚right now where I wallow.
You’re right about victims thinking abuse is the norm. It is a sad state of affairs. We’ve never owned a Windows PC but have had to use them at work in the past. Thank God we get to use Macs nowadays.
That’s small fry, just smoke and mirrors to distract from the fact that security experts still haven’t gotten around to the worse and most prolific virus around….
Windows.
True sup, RW! A global pandemic virus pretending to be an operating system. … may their chooks turn into emus and peck their dunnies down!
I have a pretty recent Lenovo Thinkpad from work and it is utter crap compared to my 7 year-old Macbook Pro. No malware due to it being imaged by our IT department, but the hardware sucks.
You can’t open it with one hand like you can the MBP and the track pad is barely useful at all, only registering a tap sometimes. When it does work, tapping on different areas of the track pad yields either a right-click or a left-click, so you have to know where you are before trying tapping lest you get unexpected results. You are essentially forced to use a mouse with the thing and, although it claims to have Bluetooth, it will not recognize my personal Bluetooth mouse which works flawlessly with all my Macs.
It has hardware volume buttons that adjust the sound from 0 to 50 and brightness buttons that adjust brightness from 0 to 15!
I only use the thing when there is nothing else available.
Just had to remove it and the certificates off of 2 Lenovo yoga’s here at work…..
Both people had the choice of a MacBook. I think they chose the yoga’s because we do not offer MacBook airs yet.
Ah typical “my shit don’t stink” attitude from a group that thinks they are so much better than everyone else, arrogantly so.
“”Security expert: Lenovo’s response to its dangerous adware a ‘bald–faced lie’’
“its” dangerous adware? Lenovo’s dangerous adware? Hmmm really?
Oh no wait the adware in question is Visual Discovery by Superfish. Is this made by Lenovo? Is it even made in China? This calls for some investigative research I’ll be right back.
I’ve just returned from Wikipedia: “Superfish is an advertising company that develops various advertising-supported software products based on a visual search engine. The company is based in Palo Alto, California, and was founded in 2006.”
Ah, Palo Alto, California, United States. Right NOW we have the proper perspective. Crap Chinese computer company making an inferior product, to be expected. Software that creates a real security problem, yep that is such a trademark of the United States.
Certainly spot on propaganda in that article my fellow citizens of the free and civilized world. Keep the popcorn handy as the race for the bottom continues.
I blame Ashton Kutcher.
Wonderful article. I was there examining continuously this blog and also I remain impressed! I examine the awsome blog from time to time, is amazing 🙂 Please, check my site and go there