Superfish Spy Threat News: Warning for Lenovo Computers After Major Security Flaw Found

Jonah Hicap Tuesday, February 24, 2015

Lenovo tablets and mobile phones are displayed during a news conference on the company's annual results in Hong Kong in this May 23, 2013 file photo. | REUTERS/Bobby Yip

Chinese computer manufacturer Lenovo has apologized to consumers after a pre-installed software in its new laptops was found to cause a major security flaw that infects any browser and allows attackers to spy on their users' confidential communication.

The preloaded software, called Superfish, also alters the search results to show users different ads than they would not otherwise see when conducting a search through their browser using a different PC.

The threat posed by Superfish is so severe that the U.S. Department of Homeland Security Computer Emergency Readiness Team has issued an advisory against using Lenovo PCs.

"Lenovo consumer personal computers employing the pre-installed Superfish Visual Discovery software contain a critical vulnerability through a compromised root CA certificate," it said. "Exploitation of this vulnerability could allow a remote attacker to read all encrypted web browser traffic (HTTPS), successfully impersonate (spoof) any website, or perform other attacks on the affected system."

"Attackers are able to see all the communication that's supposed to be confidential -- banking transactions, passwords, emails, instant messages," said Timo Hirvonen, a senior researcher at security software maker F-Secure. With the pre-installed software, a hacker can spy on the users' Internet traffic and infiltrate their computer, he said.

Ironically, the problematic Superfish software has been pre-installed in new laptops produced by Lenovo, which happened to be the top-selling laptop brand in 2014.

Lenovo has admitted its fault and is reportedly scrambling to fix the problem after receiving numerous customer complaints about Superfish.

"We messed up badly," said Peter Hortensius, Lenovo's chief technology officer. He claimed that the company was unaware that Superfish would expose consumer's Internet traffic. "The intent was to supplement the shopping experience," he alleged.

According to Lenovo, Superfish "may have appeared" on the following laptop models: G Series: G410, G510, G710, G40-70, G50-70, G40-30, G50-30, G40-45, G50-45, G40-80; U Series: U330P, U430P, U330Touch, U430Touch, U530Touch; Y Series: Y430P, Y40-70, Y50-70, Y40-80, Y70-70; Z Series: Z40-75, Z50-75, Z40-70, Z50-70, Z70-80; S Series: S310, S410, S40-70, S415, S415Touch, S435, S20-30, S20-30Touch; Flex Series: Flex2 14D, Flex2 15D, Flex2 14, Flex2 15, Flex2 Pro, Flex 10; MIIX Series: MIIX2-8, MIIX2-10, MIIX2-11, MIIX 3 1030; YOGA Series: YOGA2Pro-13, YOGA2-13, YOGA2-11, YOGA3 Pro; and E Series: E10-30.

The company has not disclosed how many computer units were pre-installed with the Superfish software.

Lenovo said it has issued instructions on how users can remove the pre-installed Superfish software on their PCs.

It said it stopped preloading Superfish on its computers last January and "shut down the server connections that enable the software, and we are providing online resources to help users remove this software."

"To be clear: Lenovo never installed this software on any ThinkPad notebooks, nor any desktops, tablets, smartphones or servers; and it is no longer being installed on any Lenovo device," the company said.

In an updated statement, Lenovo has released an automated tool to remove Superfish and its certificate which can be found at http://support.lenovo.com/us/en/product_security/superfish_uninstall.

It said it is now working with McAfee and Microsoft to quarantine and remove the Superfish software.

Lenovo denied that it knew about the vulnerability of Superfish when it pre-installed the software. "However, we did not know about this potential security vulnerability until yesterday," it claimed.