Earlier this week, word started spreading that Lenovo had been pre-installing a sketchy adware program called “SuperFish” onto many of its Windows PCs for months.
Then researchers started finding nasty vulnerabilities — namely, that SuperFish was using some pretty ugly hacks to tinker with your computer’s encryption certificates, and doing so in a way that seemingly leaves your otherwise “encrypted” communications (everything that goes over HTTPS) unsecure whenever you’re on a shared WiFi connection (like at a coffee shop)
By this morning, the US Department of Homeland Security was urging Lenovo laptop owners to remove the tool.
Even without the security implications, SuperFish was pretty sketchy. Its purpose? Catch Google search results before they hit your screen, then quietly modify them to include more ads.
Lenovo is now rushing to put out the fires; they disclosed yesterday that they’d turned off everything SuperFish-related on the server side back in January — which, while a good step, doesn’t fix the problem of the ugly security flaws lurking in the laptops.
For that, Lenovo has just released a set of automated removal tools, which they pledge will “ensure complete removal of Superfish and Certificates for all major browsers.”
They’ve also published the removal tool’s source code for scrutiny, and for those who would like to compile the tool themselves.
And if that still sketches you out? They’re also supplying a step-by-step for how to remove SuperFish manually on the same page.
Says Lenovo in the latest of many statements they’ve released on the matter:
We ordered Superfish pre-loads to stop and had server connections shut down in January based on user complaints about the experience. However, we did not know about this potential security vulnerability until yesterday. We recognize that this was our miss, and we will do better in the future. Now we are focused on fixing it.
Since that time we have moved as swiftly and decisively as we can based on what we now know. While this issue in no way impacts our ThinkPads; any tablets, desktops or smartphones; or any enterprise server or storage device, we recognize that all Lenovo customers need to be informed. We apologize for causing these concerns among our users for any reason – and we are learning from experience and improve what we do and how we do it. We will continue to take steps to make removal of the software and underlying vulnerable certificates in question easy for customers so they can continue to use our products with the confidence that they expect and deserve.
[Original deadfish photo by Ben Brophy on Flickr; modified under creative commons]