At Lenovo, we make every effort to provide a great user experience for our customers. We know that millions of people rely on our devices every day, and it is our responsibility to deliver quality, reliability, innovation and security to each and every customer. In our effort to enhance our user experience, we pre-installed a piece of third-party software, Superfish (based in Palo Alto, CA), on some of our consumer notebooks. The goal was to improve the shopping experience using their visual discovery techniques.
In reality, we had customer complaints about the software. We acted swiftly and decisively once these concerns began to be raised. We apologize for causing any concern to any users for any reason – and we are always trying to learn from experience and improve what we do and how we do it.
We stopped the preloads beginning in January. We shut down the server connections that enable the software (also in January), and we are providing online resources to help users remove this software. Finally, we are working directly with Superfish and with other industry partners to ensure we address any possible security issues now and in the future. Detailed information on these activities and tools for software removal are available here:
http://support.lenovo.com/us/en/product_security/superfish
http://support.lenovo.com/us/en/product_security/superfish_uninstall
To be clear: Lenovo never installed this software on any ThinkPad notebooks, nor any desktops, tablets, smartphones or servers; and it is no longer being installed on any Lenovo device. In addition, we are going to spend the next few weeks digging in on this issue, learning what we can do better. We will talk with partners, industry experts and our users. We will get their feedback. By the end of this month, we will announce a plan to help lead Lenovo and our industry forward with deeper knowledge, more understanding and even greater focus on issues surrounding adware, pre-installs and security. We are confident in our products, committed to this effort and determined to keep improving the experience for our users around the world.
Superfish may have appeared on these models:
G Series: G410, G510, G710, G40-70, G50-70, G40-30, G50-30, G40-45, G50-45, G40-80
U Series: U330P, U430P, U330Touch, U430Touch, U530Touch
Y Series: Y430P, Y40-70, Y50-70, Y40-80, Y70-70
Z Series: Z40-75, Z50-75, Z40-70, Z50-70, Z70-80
S Series: S310, S410, S40-70, S415, S415Touch, S435, S20-30, S20-30Touch
Flex Series: Flex2 14D, Flex2 15D, Flex2 14, Flex2 15, Flex2 Pro, Flex 10
MIIX Series: MIIX2-8, MIIX2-10, MIIX2-11, MIIX 3 1030
YOGA Series: YOGA2Pro-13, YOGA2-13, YOGA2-11, YOGA3 Pro
E Series: E10-30
Lenovo Edge 15
Please see related Lenovo News Release on Superfish
UPDATE from 2/20 - an automated tool is now available to uninstall. The tool, license, source code, and alternate manual uninstall instructions available on the link below.
http://support.lenovo.com/us/en/product_security/superfish_uninstall
It's not enought...
Didn't remove al...
I want a clean win8.1 and clean drivers for my computer bought last week !!
I'm in France so do what you have to do to protect my connection and my laptop !!
This is totally unacceptable.
"We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns."
Are you kidding me? I've heard some whoppers in my time and this almost tops it. The gall. Which "marketing manager" thought this idea would actuall fly?
-- Former Lenovo Customer
"We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns."
This statement pretty much disintegrates any bit of respect left for Lenovo. Either you didn't look very hard, or the people doing this were completely incompetent.
The cracked certificate exposes Lenovo users to man-in-the-middle attacks, similar to those opened up by Heartbleed. Armed with this password and the right software, a coffee shop owner could potentially spy on any Lenovo user on her network, collecting any passwords that were entered during the session. The evil barista could also insert malware into the data stream at will, disguised as a software update or a trusted site.
Even worse, there's no clear fix for the issue. The software can be uninstalled (instructions are here), but that won't entirely solve the issue. Superfish sets all infected computers to run web encryption through Superfish's certificate authority, which is now easily unlocked by the published password — but simply uninstalling the software won't undo those settings. Researchers are still exploring the bug and more fixes can be expected in the days to come — but in the meantime, anyone affected by the bug should avoid public Wi-Fi networks (if possible, Wi-Fi in general) whenever possible. This test will show if your computer is affected, courtesy of researcher Filippo Valsorda.
but theres no cause for alarm right?
this is mind blowing.
come on mark tell us all how its nothing to worry about again, this is shamefull
BE CAREFULL THEY ARE EDITING POSTS TO SUIT THE NEEDS OF THE COMPANY
Not only was this an immensely terrible idea from the very start, but the people who developed this crappy software misspelled its name. Its real name is DUPERPHISH ! This is more like MALWARE, and not just adware, as it secretly, without the user's knowledge, hijacks HTTPS SSL/TLS connections where you thought that you were connecting to a secure Web site such as a bank, financial institution, or online store.
Considering that Lenovo's officials in Beijing have strong ties to the Chinese government, and in light of the NSA's own hardware-based spying, I *NEVER* use a Lenovo computer for any kind of financial transaction. Nor do I store any really personal or sensitive information on a Lenovo computer. They are only good for gaming and some casual Web surfing, and that's it. I am not sure that I entirely trust the NSA's motives either... but I trust them more than having China or Russia siphoning data from me.
that does not remove the fake SSL root certificate that is used for a man in the middle attack to intercept all encrypted connections.