The Lenovo Superfish Problem – What Does It Mean For You?

Lenovo Superfish2

Lenovo has been caught in a bit of a tough spot over the last few days over some software that was pre-installed on a range of computers sold during the last few months. The stated purpose of this software, known as Superfish, is to “help customers potentially discover interesting products while shopping.” Unfortunately, there are some much more serious consequences, and Lenovo has been facing plenty of public backlash.  What exactly does the Lenovo Superfish software mean to you though?

First, I think we should get the good news out of the way.  Superfish was only installed on Windows PCs, Laptops, and Notebooks shipped between October and December 2014. That does, however, mean that computers purchased up through even the last few days may have this software installed. But as far as good news, that’s a relatively small window to have received a Lenovo computer with Superfish installed.  The other good news is that Lenovo has listened to the angry mob with torches and pitchforks and has disabled Superfish on all shipped computers, and stopped pre-loading Superfish in January on all new computers.

The bad news is an entirely different bag of worms. The always entertaining InfoSec Taylor Swift breaks it down in a quick and easy to digest manner:

At its most basic level, Superfish is adware that intercepts traffic from your computer in order to insert ads into your browser, rendering secure browsing effectively moot. If compromised, this could open your computer up to lots of potential problems. Well, we just have to hope that Superfish doesn’t get compromised, right?  I’m sure you can see where this is heading…

As if on cue, The Verge reported that Superfish has been cracked.  In a not-so-pleasant surprise, it seems that it was fairly easy to do.  Superfish has now gone from “potentially interesting shopping helper” to “adware that could be super bad” to “active means for nefarious individuals to leverage an attack on your computer” in the span of a few hours.  Bad, meet worse.

So if you’re playing along at home, and have bought a Lenovo Windows computer in the last 3-6 months, you may feel the need to start to panic.  Try to resist that urge, at least for now.  As I mentioned before, Lenovo has disabled server-side interactions from Superfish, however you’re not completely out of the woods yet.  Lenovo has also provided instruction on how to remove the Superfish software from your computer.  That gets us part way there, but without removing the fake SSL certificate and cleaning up after itself a bit more, there are still potential issues.  As InfoTec Taylor Swift once again so eloquently tells us:

Lenovo has promised to update the instruction page with information on how to finish this cleanup, but as of this time there is nothing more listed.  Thankfully Lifehacker is on the case, and offers some basic instruction on how to delete the offending certificates.  While they still recommend a clean Windows install, deleting the fake certificates should at least help.

Unfortunately, Lenovo has messed up. Bad. Should they have maybe skipped Superfish in the first place? Yes, they definitely should have. This is definitely a black eye for Lenovo, a company that has been making considerable gains in the consumer PC market recently. For now we’ll hope that Lenovo will do the right thing and fix this for their customers. Hopefully they’ll learn from this experience and maybe do a bit more research on what they add to their Windows machines in the future.

Here’s a tip I’d love for all companies to really see and follow – knock off all of the shady stuff. Sincerely, everybody.

To Top