Updated: Purchased a Lenovo PC recently? It might have adware – and a critical HTTPS vulnerability

Lenovo Horizon II
Updated: 2/20/2015 2:53 PM

Lenovo has produced a list of systems that “may have” Superfish installed. They include.

G Series: G410, G510, G710, G40-70, G50-70, G40-30, G50-30, G40-45, G50-45
U Series: U330P, U430P, U330Touch, U430Touch, U530Touch
Y Series: Y430P, Y40-70, Y50-70
Z Series: Z40-75, Z50-75, Z40-70, Z50-70
S Series: S310, S410, S40-70, S415, S415Touch, S20-30, S20-30Touch
Flex Series: Flex2 14D, Flex2 15D, Flex2 14, Flex2 15, Flex2 14(BTM), Flex2 15(BTM), Flex 10
MIIX Series: MIIX2-8, MIIX2-10, MIIX2-11
YOGA Series: YOGA2Pro-13, YOGA2-13, YOGA2-11BTM, YOGA2-11HSW
E Series: E10-30

It appears ThinkPad systems were spared, which is good news for enterprise users concerned about security.

Have you purchased a Lenovo computer lately? Then you may be vulnerable to a “man-in-the-middle” attack that can steal information from websites that appear secured by HTTPS. The attack is possible because of adware installed on the company’s machines at the factory.

The adware, known as Superfish, uses ad injection to place advertisements into websites that are not normally there, or interrupt loading of a site and show an additional ad. Lenovo says this function is now disabled on the server side.

Related: Adware app found in Google Play store

More troubling still, the adware breaks HTTPS connections to achieve its goals. It does this through a self-signed security certificate that can intercept those normally used by websites. The site still appears secure, as normal, but when its certificate is examined it’s shown to belong to Superfish, rather than the site visited.

Security researchers have also discovered the Superfish-signed certification appears to be the same on every Lenovo computer, and is protected by a rather simple security password. Rob Graham, CEO of Errata Security, claims he cracked the password, and found it to be “komodia.”

See the problem? If not, here’s the basic version: malicious hackers can now potentially hijack the Superfish certificate’s credentials, and because the certificate replaces those normally used by sites that secured through HTTPS, doing so effectively lets an attacker masquerade as any HTTPS secured site on a Lenovo PC. Google, your bank, your credit card company; connections to all of these, and more, are vulnerable to man-in-the-middle attacks.

Related: Forged security certificate targets Gmail users

Lenovo, in its official response, states “We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns.” Unfortunately, though, the company has not made an effort to specifically refute the vulnerability demonstrated by security researchers. No new Lenovo PCs are shipping with Superfish as of January, but that does not guarantee currently available models lack the issue, as systems sometimes linger in inventory for months.

The statement also says Superfish does not track user behavior or record user information. No security researcher has accused Lenovo of that, but it’s easy to understand why some users might believe that, too, was a possibility.

Obviously, this is a significant issue given Lenovo’s position as one of the world’s largest PC manufacturers. The company also has significant enterprise presence with its ThinkPad line, and those users are often particularly concerned with security. No one knows exactly which systems had Superfish installed besides Lenovo, but there could be millions now in the wild with this critical vulnerability.

The company’s support forums provide a way to uninstall Superfish, but users who’ve tried it so far claim it does not remove the false certification. Let’s hope Lenovo finds a way to help users patch their systems.

Deals

Best Memorial Day sales 2019: Amazon, Best Buy, and Walmart deals

If you're looking to save big on some shiny new stuff for Memorial Day 2019, we've gathered everything you need to know into one place. Find out where to save the most money before the summer hits its stride.
Mobile

Huawei's situation in the U.S. may improve when trade war is resolved

The U.S. Commerce Department has added Huawei to its "Entity List." Google, Intel, and ARM are all confirmed or rumored to be ceasing business with the company, which may have disastrous effects on Huawei.
Deals

Amazon Memorial Day sale: Apple Watch, Surface Pro, and 4K TV Deals

Amazon is discounting a number of different items. Smartwatches, tablets, 4K TVs, smart home devices, and laptops are all getting discounts to stay competitive with prices from Walmart and Best Buy.
Computing

Keep your kids safe online with these great parental control tools

The internet can be a dangerous place, especially for your loved ones. Check out our selection of the best free parental control software for Windows and MacOS, so you can monitor your child and block unsavory sites.
Computing

Here’s how to watch AMD reveal its new Ryzen chips at Computex

AMD will hold a pre-Computex keynote May 27 to announce its new line of 3rd-generation Ryzen processors and accompanying Radeon Navi graphics cards. Here's how to watch the keynote live wherever you are in the world.
Computing

Should you buy a MacBook Pro or a Razer Blade Stealth? We'll help you decide

Laptop head to heads are a great way to see which one might be the right one for you. Our latest sees the Razer Blade Stealth (2019) vs. MacBook Pro in a fight to see which one deserves to be your next laptop.
Computing

Microsoft might finally embrace USB-C on next-gen Surface Pro 7

USB-C could finally come to Microsoft's Surface Pro tablet. According to a Microsoft patent filing, the port was shown in an illustration, suggesting that the company is working to support this feature in the future.
Computing

AMD's latest Navi graphics cards are incoming. Here's what to expect

AMD's Navi graphics cards could be available as soon as July 2019 — as long as it's not delayed by stock problems. Billed as a successor to Polaris, Navi promises to deliver better performance to consoles like Sony's PlayStation 5.
Computing

Ryzen 3000 chips will pack a punch, and could launch as early as July

AMD's upcoming Ryzen 3000 generation of CPUs could be the most powerful processors we've ever seen, with higher core counts, greater clock speeds, and competitive pricing. Here's what we know so far.
Mobile

Want to watch Netflix in bed or browse the web? We have a tablet for everyone

There’s so much choice when shopping for a new tablet that it can be hard to pick the right one. From iPads to Android, these are our picks for the best tablets you can buy right now whatever your budget.
Deals

The best Amazon Prime Day 2019 deals: Everything you need to know

Amazon Prime Day 2019 is still a few months off, but it's never too early to start preparing. We've been taking a look at the best discounts from previous Prime Days to give you our predictions of what to expect this year.
Computing

Here’s how to watch the Nvidia Computex 2019 press conference

Here’s everything you need to know about Nvidia’s upcoming press conference at Computex 2019 in Taipei, Taiwan; including what to expect during the press conference and how and when to watch it.
Emerging Tech

Awesome Tech You Can’t Buy Yet: Tricked-out e-scooters and bike lights that lock

Check out our roundup of the best new crowdfunding projects and product announcements that hit the web this week. You may not be able to buy this stuff yet, but it's fun to gawk!
Computing

Intel’s Computex 2019 keynote: Here’s how to watch and what to expect

Intel is scheduled to give its Industry Opening Keynote at Computex on Tuesday, May 28, where it will likely fully unveil its first 10th generation chips and further outline its Project Athena initiative. Here's how to watch it.