Updated: Purchased a Lenovo PC recently? It might have adware – and a critical HTTPS vulnerability

Lenovo Horizon II
Updated: 2/20/2015 2:53 PM

Lenovo has produced a list of systems that “may have” Superfish installed. They include.

G Series: G410, G510, G710, G40-70, G50-70, G40-30, G50-30, G40-45, G50-45
U Series: U330P, U430P, U330Touch, U430Touch, U530Touch
Y Series: Y430P, Y40-70, Y50-70
Z Series: Z40-75, Z50-75, Z40-70, Z50-70
S Series: S310, S410, S40-70, S415, S415Touch, S20-30, S20-30Touch
Flex Series: Flex2 14D, Flex2 15D, Flex2 14, Flex2 15, Flex2 14(BTM), Flex2 15(BTM), Flex 10
MIIX Series: MIIX2-8, MIIX2-10, MIIX2-11
YOGA Series: YOGA2Pro-13, YOGA2-13, YOGA2-11BTM, YOGA2-11HSW
E Series: E10-30

It appears ThinkPad systems were spared, which is good news for enterprise users concerned about security.

Have you purchased a Lenovo computer lately? Then you may be vulnerable to a “man-in-the-middle” attack that can steal information from websites that appear secured by HTTPS. The attack is possible because of adware installed on the company’s machines at the factory.

The adware, known as Superfish, uses ad injection to place advertisements into websites that are not normally there, or interrupt loading of a site and show an additional ad. Lenovo says this function is now disabled on the server side.

Related: Adware app found in Google Play store

More troubling still, the adware breaks HTTPS connections to achieve its goals. It does this through a self-signed security certificate that can intercept those normally used by websites. The site still appears secure, as normal, but when its certificate is examined it’s shown to belong to Superfish, rather than the site visited.

Security researchers have also discovered the Superfish-signed certification appears to be the same on every Lenovo computer, and is protected by a rather simple security password. Rob Graham, CEO of Errata Security, claims he cracked the password, and found it to be “komodia.”

See the problem? If not, here’s the basic version: malicious hackers can now potentially hijack the Superfish certificate’s credentials, and because the certificate replaces those normally used by sites that secured through HTTPS, doing so effectively lets an attacker masquerade as any HTTPS secured site on a Lenovo PC. Google, your bank, your credit card company; connections to all of these, and more, are vulnerable to man-in-the-middle attacks.

Related: Forged security certificate targets Gmail users

Lenovo, in its official response, states “We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns.” Unfortunately, though, the company has not made an effort to specifically refute the vulnerability demonstrated by security researchers. No new Lenovo PCs are shipping with Superfish as of January, but that does not guarantee currently available models lack the issue, as systems sometimes linger in inventory for months.

The statement also says Superfish does not track user behavior or record user information. No security researcher has accused Lenovo of that, but it’s easy to understand why some users might believe that, too, was a possibility.

Obviously, this is a significant issue given Lenovo’s position as one of the world’s largest PC manufacturers. The company also has significant enterprise presence with its ThinkPad line, and those users are often particularly concerned with security. No one knows exactly which systems had Superfish installed besides Lenovo, but there could be millions now in the wild with this critical vulnerability.

The company’s support forums provide a way to uninstall Superfish, but users who’ve tried it so far claim it does not remove the false certification. Let’s hope Lenovo finds a way to help users patch their systems.

Computing

Nvidia faces attacks from AMD, Intel, and even Google. Should it be worried?

Nvidia announced an expanded array of RTX server solutions designed to leverage the power of ray-tracing at GTC 2019. The effort will help Nvidia take on Google's Stadia in game streaming with GeForce Now, and the company's investments in…
Mobile

5G's arrival is transforming tech. Here's everything you need to know to keep up

It has been years in the making, but 5G is finally becoming a reality. While 5G coverage is still extremely limited, expect to see it expand in 2019. Not sure what 5G even is? Here's everything you need to know.
Deals

From Chromebooks to MacBooks, here are the best laptop deals for March 2019

Whether you need a new laptop for school or work or you're just doing some post-holiday shopping, we've got you covered: These are the best laptop deals going right now, from discounted MacBooks to on-the-go gaming PCs.
Product Review

The Lenovo Legion Y740 brings RTX 2080 graphics power for under $2,500

Coming with the Intel Core i7-8750H processor, Nvidia GeForce RTX 2080 Max-Q graphics, 16GB of RAM, and a 256GB PCIe NVMe SSD, the Legion Y740 one big beast. But priced at under $2,500 how does Lenovo’s Legion stand up against the crowd?
Mobile

Rooting your Android device is risky. Do it right with our handy guide

Wondering whether to root your Android smartphone or stick with stock Android? Perhaps you’ve decided to do it and you just need to know how? Here, you'll find an explanation and a quick guide on how to root Android devices.
Computing

Microsoft’s Clippy came back from the dead, but didn’t last very long

Before Cortana, Alexa, and Siri even existed, Microsoft Clippy dominated the screens of computers in the 1990s to help assist Microsoft Office users when writing letters. He recently made a bit of a comeback only to die off again.
Computing

How 5G networks will make low-latency game streaming a reality

Faster speeds and more bandwidth are some of the many promises that 5G can deliver, but for gamers, the most important thing is low latency. To achieve low latency, carriers like AT&T and Verizon are exploring hybrid models for game…
Deals

Time to do taxes? Save up to 50 percent on H&R Block tax software this weekend

Tax season is stressful, and with new tax laws in effect this year, it's not a bad idea to get some help. H&R Block has you covered: For two days only, you can save 50 percent on its great software so you can file your taxes online and save…
Computing

Stop dragging windows on your Mac. Here's how to use Split View to multitask

The latest iterations of MacOS offer a native Split View feature that can automatically divide screen space between two applications. Here's how to use Split View on a Mac, adjust it as needed, and how it can help out.
Computing

Breeze through security with these checkpoint-friendly laptop bags

Getting through airport security is a drag, but your laptop bag shouldn’t be. Thankfully, these checkpoint-friendly laptop bags will get you and your gear to your destination with ease.
Computing

The new iMacs push on iMac Pro territory, but how much power do you really need?

With Apple refreshing the higher-end iMacs with newer processors and graphics cards, it moves closer to the iMac Pro. In this guide, we consider the performance, features, and help make sense of the differences between the two.
Emerging Tech

Awesome Tech You Can’t Buy Yet: Robotic companions and computer-aided karaoke

Check out our roundup of the best new crowdfunding projects and product announcements that hit the web this week. You may not be able to buy this stuff yet, but it's fun to gawk!
Computing

Protect your expensive new laptop with the best Macbook cases

If you recently picked up a new MacBook, you’ll want something to protect its gorgeous exterior. Here, we've gathered the best MacBook cases and covers, whether you're looking for style or protection.
Computing

Worried about your online privacy? We tested the best VPN services

Browsing the web can be less secure than most users would hope. If that concerns you, a virtual private network — aka a VPN — is a decent solution. Check out a few of the best VPN services on the market.