experts warn: 'Superfish' disabled after security researchers raise concerns

experts warn

'Superfish' disabled after security researchers raise concerns

CBC News

February 19, 2015

Lenovo notebook computers shipped between October and December 2014 came pre-installed with a program called Visual Discovery/Superfish that has caused alarm among computer security experts. (Kim Kyung-Hoon/Reuters)

Bought a Lenovo computer recently? It may have come with a surprise inside that makes you vulnerable to being attacked by cybercriminals, security researchers say.

Lenovo notebook computers shipped last fall came pre-installed with a program called Visual Discovery/Superfish that has caused alarm among computer security experts.

China-based Lenovo said the software was installed on consumer notebook products shipped between October and December "to help customers potentially discover interesting products while shopping." It did that by analyzing images called up by users while surfing the internet and presenting similar products, the company said on its user forums.

Robert Graham, CEO of the U.S.-based computer security firm Errata Security, described Superfish as "adware" that works by injecting JavaScript code into web pages.

System open to hackers, 'NSA-style spies'

"This is known to cause a lot of problems on websites," Graham wrote on his blog. More alarmingly, the software is designed to intercept all encrypted connections, the blog post said, including "things it shouldn't be able to see. It does this in a poor way that leaves the system open to hackers or NSA-style spies."

Security researcher Marc Rogers wrote on his personal blog that Superfish "uses a 'man-in-the-middle attack' to break secure connections on affected laptops in order to access sensitive data and inject advertising."

Because of the way it does this, he added, "users cannot trust any secure connections they make – to any site."

Rogers is principal security researcher at the security firm Cloudflare and head of security for the hacking conference Def Con.

Lenovo disables software, posts removal instructions

In a post on its users forums Thursday, Lenovo said company technicians had "thoroughly investigated this technology and do not find any evidence to substantiate security concerns."

However, it said, user feedback on the software was "not positive." In response, since January, it has:

• Disabled Superfish for all products currently on the market.
• Stopped preloading the software on new laptops.

The company also posted instructions for uninstalling the software.

It had previously posted a notice on user forums on Jan. 23 saying it had "temporarily" removed the software from consumer systems due to issues such as browser pop-up behaviour.