Updated: Purchased a Lenovo PC recently? It might have adware – and a critical HTTPS vulnerability

Lenovo Horizon II
Updated: 2/20/2015 2:53 PM

Lenovo has produced a list of systems that “may have” Superfish installed. They include.

G Series: G410, G510, G710, G40-70, G50-70, G40-30, G50-30, G40-45, G50-45
U Series: U330P, U430P, U330Touch, U430Touch, U530Touch
Y Series: Y430P, Y40-70, Y50-70
Z Series: Z40-75, Z50-75, Z40-70, Z50-70
S Series: S310, S410, S40-70, S415, S415Touch, S20-30, S20-30Touch
Flex Series: Flex2 14D, Flex2 15D, Flex2 14, Flex2 15, Flex2 14(BTM), Flex2 15(BTM), Flex 10
MIIX Series: MIIX2-8, MIIX2-10, MIIX2-11
YOGA Series: YOGA2Pro-13, YOGA2-13, YOGA2-11BTM, YOGA2-11HSW
E Series: E10-30

It appears ThinkPad systems were spared, which is good news for enterprise users concerned about security.

Have you purchased a Lenovo computer lately? Then you may be vulnerable to a “man-in-the-middle” attack that can steal information from websites that appear secured by HTTPS. The attack is possible because of adware installed on the company’s machines at the factory.

The adware, known as Superfish, uses ad injection to place advertisements into websites that are not normally there, or interrupt loading of a site and show an additional ad. Lenovo says this function is now disabled on the server side.

Related: Adware app found in Google Play store

More troubling still, the adware breaks HTTPS connections to achieve its goals. It does this through a self-signed security certificate that can intercept those normally used by websites. The site still appears secure, as normal, but when its certificate is examined it’s shown to belong to Superfish, rather than the site visited.

Security researchers have also discovered the Superfish-signed certification appears to be the same on every Lenovo computer, and is protected by a rather simple security password. Rob Graham, CEO of Errata Security, claims he cracked the password, and found it to be “komodia.”

See the problem? If not, here’s the basic version: malicious hackers can now potentially hijack the Superfish certificate’s credentials, and because the certificate replaces those normally used by sites that secured through HTTPS, doing so effectively lets an attacker masquerade as any HTTPS secured site on a Lenovo PC. Google, your bank, your credit card company; connections to all of these, and more, are vulnerable to man-in-the-middle attacks.

Related: Forged security certificate targets Gmail users

Lenovo, in its official response, states “We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns.” Unfortunately, though, the company has not made an effort to specifically refute the vulnerability demonstrated by security researchers. No new Lenovo PCs are shipping with Superfish as of January, but that does not guarantee currently available models lack the issue, as systems sometimes linger in inventory for months.

The statement also says Superfish does not track user behavior or record user information. No security researcher has accused Lenovo of that, but it’s easy to understand why some users might believe that, too, was a possibility.

Obviously, this is a significant issue given Lenovo’s position as one of the world’s largest PC manufacturers. The company also has significant enterprise presence with its ThinkPad line, and those users are often particularly concerned with security. No one knows exactly which systems had Superfish installed besides Lenovo, but there could be millions now in the wild with this critical vulnerability.

The company’s support forums provide a way to uninstall Superfish, but users who’ve tried it so far claim it does not remove the false certification. Let’s hope Lenovo finds a way to help users patch their systems.

Computing

These are the 5 best free antivirus apps to protect your MacBook

Malware protection is more important than ever, even if you eschew Windows in favor of Apple's desktop platform. Thankfully, protecting your machine is as easy as picking from the best free antivirus apps for Mac suites.
Computing

Is your PC slow? Here's how to restore Windows 10 to factory settings

Computers rarely work as well after they've accumulated files and misconfigured settings. Thankfully, with this guide, you'll be able to restore your PC to its original state by learning how to factory reset Windows.
Movies & TV

'Prime'-time TV: Here are the best shows on Amazon Prime right now

There's more to Amazon Prime than free two-day shipping, including access to a number of phenomenal shows at no extra cost. To make the sifting easier, here are our favorite shows currently streaming on Amazon Prime.
Computing

Want to set up your own virtual private network? Here's how

Take a look at our walkthrough for creating a virtual private network and why it is beneficial for more than just increased privacy and security. We go step by step, detailing how to set up a VPN in both MacOS and in Windows 10.
Computing

These Windows 10 keyboard shortcuts will update your OG Windows skills

Windows 10 has many new features, and they come flanked with useful new keyboard shortcuts. Check out some of the new Windows 10 keyboard shortcuts to improve your user experience.
Computing

Protecting your PDF with a password isn't difficult. Just follow these steps

If you need to learn how to password protect a PDF, you have come to the right place. This guide will walk you through the process of protecting your documents step-by-step, whether you're running a MacOS or Windows machine.
Apple

iPhone users are finding themselves randomly locked out of their Apple ID

According to posts on Reddit and Twitter, it looks like users on Reddit and Twitter having some issues with their Apple accounts. Specifically, it seems as though users are getting randomly locked out of their Apple IDs.
Computing

Don't know what to do with all your old DVDs? Here's how to convert them to MP4

Given today's rapid technological advancements, physical discs are quickly becoming a thing of the past. Check out our guide on how to convert a DVD to MP4, so you can ditch discs for digital files.
Computing

Here’s how to install Windows on a Chromebook

If you want to push the functionality of your new Chromebook to another level, and Linux isn't really your deal, you can try installing Windows on a Chromebook. Here's how to do so, just in case you're looking to nab some Windows-only…
Photography

Edit portraits with A.I. and adjust focus in the new ON1 Photo RAW 2019 editor

ON1 Photo RAW 2019 now has a dedicated tab for portraits that automatically recognizes faces to help with retouching. The update also brings a new focus stacking tool, enhancements to layers, and improvements to local adjustments.
Computing

Your MacBook can live in the lap of luxury with this leather case

Though there are several cases which we think are best for covering up MacBooks, Twelve South's Journal case is one of the newest available, providing luxurious leather coverage for your Apple laptop.
Music

Here's our head-to-head comparison of Pandora and Spotify

Which music streaming platform is best for you? We pit Spotify versus Pandora, two mighty streaming services with on-demand music and massive catalogs, comparing every facet of the two services to help you decide which is best.
Computing

15-inch MacBook Pro gets more powerful with new AMD Vega GPUs

Confirming Apple's quiet October announcement, new configurations for the top-range 15-inch Apple MacBook laptop are now available, coming complete with AMD Pro Vega 16 or Pro Vega 20 graphics cards on board.
Emerging Tech

Intel’s new ‘neural network on a stick’ aims to unchain A.I. from the internet

To kick off its first developer conference in Beijing, Intel unveiled the second generation of its Neural Compute Stick -- a device that promises to democratize the development of computer vision A.I. applications.