CERT Warns Consumers About Pre-Installed Superfish Software on Lenovo PCs

CERT Warns Consumers About Pre-Installed Superfish Software on Lenovo PCs

by Chris Thomas on 17 March 2015 · 1802 views

Consumers are being warned by the federal Computer Emergency Readiness Team (CERT) about a pre-installed software found on some Lenovo PCs. It's called Superfish, and while the software itself is not a virus, it has been classified as adware and supposedly has several features that make the host operating system vulnerable to attacks from hackers.

The issue was initially addressed in February, when CERT found Superfish to be vulnerable to HTTPS Spoofing. Lenovo then put out a Superfish advisory, a guide on how to uninstall Superfish, and even a Superfish Removal Tool, followed by CERT issuing their statement declaring that systems with Superfish installed “will continue to be vulnerable until corrective action has been taken.”

Lenovo classifies Superfish as a High Severity security risk that exposes the host operating system to Man-in-the-Middle Attacks:

1 full CERT Warns Consumers About PreInstalled Superfish Software on Lenovo PCs

While Lenovo is no longer installing Superfish on its PCs, there are still many computers out the that have the software installed, and according to CERT, those computers “will continue to be vulnerable until corrective actions have been taken.” Fortunately, Lenovo has released an uninstall tool that helps you run a complete uninstall of Superfish.

Lenovo began loading Superfish onto some of its consumer PCs back in September of 2014, but stopped doing so in January 2015 after a litany of consumer complaints that lead to the software being labeled spyware by CERT and other internet security companies. After discontinuing the software on all of its PC's Lenovo then stated that it was taking steps to disable it automatically on machines that it was already installed on.

Originally Superfish was marketed as a tool to help enhance the online shopping process, and while the company has denied that the software was a security concern, numerous researches have contended otherwise. In fact, a piece on ZDNet even called it a “nightmare for those who value their privacy,” and “worse than we thought.”

Fortunately, the problem has been largely brought under control by a combination of efforts from Lenovo, CERT, and antivirus companies like McAfee. More recently it has been reported that Microsoft's late February security update resulted in the removal of about 250,000 PCs. For those of you interested in learning more about how Superfish works on the technical side, check out Errata Security's treatise on extracting the Superfish Certificate.

Comments (0)
Featured Articles