Updated: Purchased a Lenovo PC recently? It might have adware – and a critical HTTPS vulnerability

Lenovo Horizon II
Updated: 2/20/2015 2:53 PM

Lenovo has produced a list of systems that “may have” Superfish installed. They include.

G Series: G410, G510, G710, G40-70, G50-70, G40-30, G50-30, G40-45, G50-45
U Series: U330P, U430P, U330Touch, U430Touch, U530Touch
Y Series: Y430P, Y40-70, Y50-70
Z Series: Z40-75, Z50-75, Z40-70, Z50-70
S Series: S310, S410, S40-70, S415, S415Touch, S20-30, S20-30Touch
Flex Series: Flex2 14D, Flex2 15D, Flex2 14, Flex2 15, Flex2 14(BTM), Flex2 15(BTM), Flex 10
MIIX Series: MIIX2-8, MIIX2-10, MIIX2-11
YOGA Series: YOGA2Pro-13, YOGA2-13, YOGA2-11BTM, YOGA2-11HSW
E Series: E10-30

It appears ThinkPad systems were spared, which is good news for enterprise users concerned about security.

Have you purchased a Lenovo computer lately? Then you may be vulnerable to a “man-in-the-middle” attack that can steal information from websites that appear secured by HTTPS. The attack is possible because of adware installed on the company’s machines at the factory.

The adware, known as Superfish, uses ad injection to place advertisements into websites that are not normally there, or interrupt loading of a site and show an additional ad. Lenovo says this function is now disabled on the server side.

Related: Adware app found in Google Play store

More troubling still, the adware breaks HTTPS connections to achieve its goals. It does this through a self-signed security certificate that can intercept those normally used by websites. The site still appears secure, as normal, but when its certificate is examined it’s shown to belong to Superfish, rather than the site visited.

Security researchers have also discovered the Superfish-signed certification appears to be the same on every Lenovo computer, and is protected by a rather simple security password. Rob Graham, CEO of Errata Security, claims he cracked the password, and found it to be “komodia.”

See the problem? If not, here’s the basic version: malicious hackers can now potentially hijack the Superfish certificate’s credentials, and because the certificate replaces those normally used by sites that secured through HTTPS, doing so effectively lets an attacker masquerade as any HTTPS secured site on a Lenovo PC. Google, your bank, your credit card company; connections to all of these, and more, are vulnerable to man-in-the-middle attacks.

Related: Forged security certificate targets Gmail users

Lenovo, in its official response, states “We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns.” Unfortunately, though, the company has not made an effort to specifically refute the vulnerability demonstrated by security researchers. No new Lenovo PCs are shipping with Superfish as of January, but that does not guarantee currently available models lack the issue, as systems sometimes linger in inventory for months.

The statement also says Superfish does not track user behavior or record user information. No security researcher has accused Lenovo of that, but it’s easy to understand why some users might believe that, too, was a possibility.

Obviously, this is a significant issue given Lenovo’s position as one of the world’s largest PC manufacturers. The company also has significant enterprise presence with its ThinkPad line, and those users are often particularly concerned with security. No one knows exactly which systems had Superfish installed besides Lenovo, but there could be millions now in the wild with this critical vulnerability.

The company’s support forums provide a way to uninstall Superfish, but users who’ve tried it so far claim it does not remove the false certification. Let’s hope Lenovo finds a way to help users patch their systems.

Product Review

Controversy has dogged the MacBook Pro lately. Is it still a good purchase?

The MacBook Pro is a controversial laptop these days -- and that's unfortunate. Due to some divisive changes Apple made to the functionality of the MacBook Pro, fans are more split. Does the 8th-gen refresh change that?
Movies & TV

'Prime'-time TV: Here are the best shows on Amazon Prime right now

There's more to Amazon Prime than free two-day shipping, including access to a number of phenomenal shows at no extra cost. To make the sifting easier, here are our favorite shows currently streaming on Amazon Prime.
Deals

From Chromebooks to MacBooks, here are the best laptop deals for January 2019

Whether you need a new laptop for school or work or you're just doing some post-holiday shopping, we've got you covered: These are the best laptop deals going right now, from discounted MacBooks to on-the-go gaming PCs.
Mobile

Do these Geekbench results accurately represent the Moto G7?

The Moto G6 range is still relatively new to the market, but rumors have already started about the Moto G7, which is expected some time in 2019. Apparently, a G7 Power version will be joining the G7, G7 Play, and G7 Plus.
Computing

Breeze through security with these checkpoint-friendly laptop bags

Getting through airport security is a drag, but your laptop bag shouldn’t be. Thankfully, these checkpoint-friendly laptop bags will get you and your gear to your destination with ease.
Computing

Ditch the backdrop from your photos with these handy tools

Need to know how to remove the background from an image? Here's how, whether you prefer to use a premium program like Photoshop or one of the many web-based alternatives currently in existence.
Computing

‘Flexgate’ is the latest controversy plaguing some MacBook Pro owners

iFixit recently uncovered a new "Flexgate" issue with MacBook Pros after some consumers reported a "stage light" effect, where the backlighting on the device would fail and cause the bottom of the display to become slightly distorted.
Computing

Think someone's leeching off your Wi-Fi connection? Here's how to find out

It's important to find out immediately if anyone is stealing your bandwidth. Here's how to tell if someone is stealing your Wi-Fi using a few simple tools, along with some suggestions on improving security.
Computing

Open RAR files with the greatest of ease using these awesome applications

Few things are more bothersome than not being able to open a file when you need it most. Check out our quick guide about how to open RAR files in Windows and MacOS. We will walk you through the process, step by step.
Web

Google Chrome’s latest decision could prevent most ad-blockers from functioning

Google Chrome's newest change is cited as a step forward for speed and security, but could profoundly alter how the majority of ad-blocking extensions operate. The move potentially gives Google more control over which ads can be blocked.
Computing

Samsung permits peek at an eye-popping, 15-inch 4K OLED laptop display

Samsung is now preparing for the new OLED laptop trend and is providing a look at an eye-popping 15.6-inch 4K OLED panel that is expected to power larger premium laptops in the new year.
Music

Here's our head-to-head comparison of Pandora and Spotify

Which music streaming platform is best for you? We pit Spotify versus Pandora, two mighty streaming services with on-demand music and massive catalogs, comparing every facet of the two services to help you decide which is best.
Computing

Latest ransomware targets gamers with a malicious sophistication

The latest piece of ransomware, Anatova, has been discovered by the security team at McAfee. Employing a smart tactic to confuse users and able to clean its tracks as it evolves, this is one tough piece of ransomware.
Computing

Are AMD Navi GPUs coming soon? Reference found in MacOS hints at release date

Fresh off the announcement of Radeon Vega VII at CES 2019, in the latest rumors, source code references in macOS hint that the next 7nm AMD Navi products might be coming in July.