Lenovo P, Y and Z series Notebooks Knowledge Base-Lenovo Community

Removal Instructions for VisualDiscovery Superfish application

LENOVO STATEMENT ON SUPERFISH

At Lenovo, we make every effort to provide a great user experience for our customers. We know that millions of people rely on our devices every day, and it is our responsibility to deliver quality, reliability, innovation and security to each and every customer. In our effort to enhance our user experience, we pre-installed a piece of third-party software, Superfish (based in Palo Alto, CA), on some of our consumer notebooks. The goal was to improve the shopping experience using their visual discovery techniques.

In reality, we had customer complaints about the software. We acted swiftly and decisively once these concerns began to be raised. We apologize for causing any concern to any users for any reason – and we are always trying to learn from experience and improve what we do and how we do it.

We stopped the preloads beginning in January. We shut down the server connections that enable the software (also in January), and we are providing online resources to help users remove this software. Finally, we are working directly with Superfish and with other industry partners to ensure we address any possible security issues now and in the future. Detailed information on these activities and tools for software removal are available here:

http://support.lenovo.com/us/en/product_security/superfish
http://support.lenovo.com/us/en/product_security/superfish_uninstall

To be clear: Lenovo never installed this software on any ThinkPad notebooks, nor any desktops, tablets, smartphones or servers; and it is no longer being installed on any Lenovo device. In addition, we are going to spend the next few weeks digging in on this issue, learning what we can do better. We will talk with partners, industry experts and our users. We will get their feedback. By the end of this month, we will announce a plan to help lead Lenovo and our industry forward with deeper knowledge, more understanding and even greater focus on issues surrounding adware, pre-installs and security. We are confident in our products, committed to this effort and determined to keep improving the experience for our users around the world.

Superfish may have appeared on these models:
G Series: G410, G510, G710, G40-70, G50-70, G40-30, G50-30, G40-45, G50-45, G40-80
U Series: U330P, U430P, U330Touch, U430Touch, U530Touch
Y Series: Y430P, Y40-70, Y50-70, Y40-80, Y70-70
Z Series: Z40-75, Z50-75, Z40-70, Z50-70, Z70-80
S Series: S310, S410, S40-70, S415, S415Touch, S435, S20-30, S20-30Touch
Flex Series: Flex2 14D, Flex2 15D, Flex2 14, Flex2 15, Flex2 Pro, Flex 10
MIIX Series: MIIX2-8, MIIX2-10, MIIX2-11, MIIX 3 1030
YOGA Series: YOGA2Pro-13, YOGA2-13, YOGA2-11, YOGA3 Pro
E Series: E10-30
Lenovo Edge 15

Please see related Lenovo News Release on Superfish

Please use the following link for uninstall details - these are being updated frequently

UPDATE from 2/20 - an automated tool is now available to uninstall. The tool, license, source code, and alternate manual uninstall instructions available on the link below.

http://support.lenovo.com/us/en/product_security/superfish_uninstall

Was this information helpful?

Yes No

Comments

cenc On 2015-02-19, 15:17 PM

that does not remove the fake SSL root certificate that is used for a man in the middle attack to intercept all encrypted connections.

Flepi On 2015-02-19, 15:29 PM

It's not enought...

Didn't remove al...

I want a clean win8.1 and clean drivers for my computer bought last week !!

I'm in France so do what you have to do to protect my connection and my laptop !!

adam_at_bt On 2015-02-19, 15:40 PM

This is totally unacceptable.

"We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns."

Are you kidding me? I've heard some whoppers in my time and this almost tops it. The gall. Which "marketing manager" thought this idea would actuall fly?

-- Former Lenovo Customer

techkitsune On 2015-02-19, 16:06 PM

"Superfish will be removed from Program Files and Program Data directories, files in user directory will stay intact for the privacy reason. Registry entry and root certificate will remain as well. " Awesome! That means I can compromise any computer that still has this cruft left over! Good job FAILING AT SECURITY, LENOVO. Even better job at hiring someone incompetent like Mark to highlight that. Oh, and since Lenovo deliberately and knowingly distributed this software, which illegally assumes the identities of individuals and companies (including my own) that also means Lenovo is guilty of identity theft. Since it bypasses security measures and defeats encryption before it can happen, it's also a violation of the CFAA - federal charges need to be brought against Lenovo for this.

techkitsune On 2015-02-19, 16:21 PM

"Our goal is to find technologies that best serve users."

A laptop without bloatware best serves users. A laptop with bloatware best serves other people.

You are very obviously NOT looking out for your users.

tMettam On 2015-02-19, 17:19 PM

"We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns."

This statement pretty much disintegrates any bit of respect left for Lenovo. Either you didn't look very hard, or the people doing this were completely incompetent.

m0nst3r44 On 2015-02-19, 17:26 PM

The cracked certificate exposes Lenovo users to man-in-the-middle attacks, similar to those opened up by Heartbleed. Armed with this password and the right software, a coffee shop owner could potentially spy on any Lenovo user on her network, collecting any passwords that were entered during the session. The evil barista could also insert malware into the data stream at will, disguised as a software update or a trusted site.

Even worse, there's no clear fix for the issue. The software can be uninstalled (instructions are here), but that won't entirely solve the issue. Superfish sets all infected computers to run web encryption through Superfish's certificate authority, which is now easily unlocked by the published password — but simply uninstalling the software won't undo those settings. Researchers are still exploring the bug and more fixes can be expected in the days to come — but in the meantime, anyone affected by the bug should avoid public Wi-Fi networks (if possible, Wi-Fi in general) whenever possible. This test will show if your computer is affected, courtesy of researcher Filippo Valsorda.

but theres no cause for alarm right?

this is mind blowing.

come on mark tell us all how its nothing to worry about again, this is shamefull

BE CAREFULL THEY ARE EDITING POSTS TO SUIT THE NEEDS OF THE COMPANY

techkitsune On 2015-02-19, 17:47 PM

Just checked using a customer's new Yoga and a fake bank account I have set up for security checking just like this. Superfish transmits IN THE CLEAR username and password. Taking the laptop to the bank right now - odds are Lenovo won't be welcome in any IT sector once the banks get wind of this.

DragonPurr On 2015-02-19, 17:52 PM

Not only was this an immensely terrible idea from the very start, but the people who developed this crappy software misspelled its name. Its real name is DUPERPHISH ! This is more like MALWARE, and not just adware, as it secretly, without the user's knowledge, hijacks HTTPS SSL/TLS connections where you thought that you were connecting to a secure Web site such as a bank, financial institution, or online store.

Considering that Lenovo's officials in Beijing have strong ties to the Chinese government, and in light of the NSA's own hardware-based spying, I *NEVER* use a Lenovo computer for any kind of financial transaction. Nor do I store any really personal or sensitive information on a Lenovo computer. They are only good for gaming and some casual Web surfing, and that's it. I am not sure that I entirely trust the NSA's motives either... but I trust them more than having China or Russia siphoning data from me.