Security expert: Lenovo’s response to its dangerous adware a ‘bald–faced lie’

“If you’ve bought a Lenovo laptop anytime since August, it may have shipped with a dangerous bit of adware known as Visual Discovery by Superfish. It’s the kind of software add-on that [Windows PC] computer makers are often paid to include with their hardware,” Robert McMillan reports for Wired. “Superfish exists to serve up ads, but it does so in such a maddeningly dangerous way that it creates a real security problem for Lenovo users.”

“Worse, Lenovo appears completely clueless about the problem,” McMillan reports. “The company issued a statement shortly after security experts raised the issue, saying it stopped shipping the adware last month and customers need not worry about the thing compromising their security. ‘We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns,’ Lenovo said.”

“Robert Graham, the CEO of internet security firm called Errata Security, doesn’t mince words in assessing the situation,” McMillan reports. “‘This is a bald-face[d] lie,’ he says of Lenovo’s statement. ‘It’s obvious that there is a security problem here.’ And Graham knows what he’s talking about. He runs a security consultancy and has documented very real security problems with Superfish… ‘I can intercept the encrypted communications of Superfish’s victims (people with Lenovo laptops) while hanging out near them at a cafe wifi hotspot,’ Graham wrote in a blog post detailing how he did this. Note to Lenovo: This makes Superfish a legitimate security concern.”

Read more in the full article here.

MacDailyNews Take: If you’ve bought a Lenovo laptop anytime… you’ll want to schedule a cranial CT scan pronto.

[Thanks to MacDailyNews Reader “Dan K.” for the heads up.]

23 Comments

  1. and it’s even made in china, what a surprise.

    wanna bet the chinese intelligence services might have had a hand in suggesting this bit of spyware, works at home to keep an eye on their own people, and works overseas on anybody else foolish enough to buy one of these machines.

    not quite up to nsa standards, but….give them time

    1. I’d definitely tell your IT staff (if any) at your day job to give the Lenovo a going over before they let it loose on your work LAN. One of my brothers still swears by his ThinkPad! *sigh* He too must use Windows boxes due to the nature of his job. Thankfully, he was smart enough to give his daughter a MacBook to take to university.

  2. The two relevant articles over at Ars Technica (I’ve posted these previously here at MDN), plus two more to follow:


    Lenovo PCs ship with man-in-the-middle adware that breaks HTTPS connections [Updated]

    Superfish may make it trivial for attackers to spoof any HTTPS website.

    Lenovo honestly thought you’d enjoy that Superfish HTTPS spyware
    It wasn’t about the money!

    The second article linked above contains Lenovo’s original, whitewash statement.

        1. Torches and pitchforks! Why people put up with this garbage on Windows boxes is beyond my comprehension. But I will say that many abused people, with time, accept the abuse as status quo. I never have. I’m so glad to have a superior alternative.

          BTW: Be glad you’re not where I live Arnold. You’d have trouble finding your tail today! Minus 20º F wind chill. Total retraction. 😉

          1. Hoo boy. Now, that’s cold. It’s 60˚right now where I wallow.

            You’re right about victims thinking abuse is the norm. It is a sad state of affairs. We’ve never owned a Windows PC but have had to use them at work in the past. Thank God we get to use Macs nowadays.

  3. That’s small fry, just smoke and mirrors to distract from the fact that security experts still haven’t gotten around to the worse and most prolific virus around….

    Windows.

  4. I have a pretty recent Lenovo Thinkpad from work and it is utter crap compared to my 7 year-old Macbook Pro. No malware due to it being imaged by our IT department, but the hardware sucks.

    You can’t open it with one hand like you can the MBP and the track pad is barely useful at all, only registering a tap sometimes. When it does work, tapping on different areas of the track pad yields either a right-click or a left-click, so you have to know where you are before trying tapping lest you get unexpected results. You are essentially forced to use a mouse with the thing and, although it claims to have Bluetooth, it will not recognize my personal Bluetooth mouse which works flawlessly with all my Macs.

    It has hardware volume buttons that adjust the sound from 0 to 50 and brightness buttons that adjust brightness from 0 to 15!

    I only use the thing when there is nothing else available.

  5. Ah typical “my shit don’t stink” attitude from a group that thinks they are so much better than everyone else, arrogantly so.

    “”Security expert: Lenovo’s response to its dangerous adware a ‘bald–faced lie’’
    “its” dangerous adware? Lenovo’s dangerous adware? Hmmm really?

    Oh no wait the adware in question is Visual Discovery by Superfish. Is this made by Lenovo? Is it even made in China? This calls for some investigative research I’ll be right back.

    I’ve just returned from Wikipedia: “Superfish is an advertising company that develops various advertising-supported software products based on a visual search engine. The company is based in Palo Alto, California, and was founded in 2006.”

    Ah, Palo Alto, California, United States. Right NOW we have the proper perspective. Crap Chinese computer company making an inferior product, to be expected. Software that creates a real security problem, yep that is such a trademark of the United States.

    Certainly spot on propaganda in that article my fellow citizens of the free and civilized world. Keep the popcorn handy as the race for the bottom continues.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.