02-18-2015 08:17 PM
Unfortunately, there are still many unanswered questions:
1. Does Superfish use the same CA certificate on all installs? If so, this this goes way beyond a "potentially unwanted" program and becomes a huge security vulnerability. Since the corresponding private key would be included with any copy of the Superfish software, it would be relatively easy for anyone to intercept ANY of your SSL traffic, making your computer completely insecure for things like online banking.
2. If the CA certificate is generated locally, does it use a proper source of entropy? If the private key it generates is insufficiently random, then an attacker might still be able to intercept your SSL traffic.
3. If the user rejects the Superfish terms, is the certificate still installed?
4. If Superfish Visual Discovery is uninstalled, does it also remove the certificate? If not, your computer could remain vulnerable even after you remove it.
5. Is the Superfish certificate trusted for other uses, such as code signing?
02-18-2015 09:35 PM
There is also a "Root Agency" certificate located in the "Intermediate CAs" store, what is this ? Why is it there ? This certificate has no information to trace it, nor any information describing its use, and it allows signing everything.
I bought a Yoga 2 11 2 months ago, and needless to say, I want to return this piece of malware and get my money back !
02-18-2015 10:14 PM - edited 02-18-2015 10:50 PM
02-18-2015 11:49 PM - edited 02-18-2015 11:49 PM
...As for units already in market, we have requested that Superfish auto-update a fix that addresses these issues...
Has such an update been provided yet? Does it/will it simply uninstall the program to stop the ads or will it also rectify the certificate/security issue?
02-19-2015 12:25 AM
02-19-2015 12:26 AM
Same as an earlier post I made on this subject:
I have been working in tech software and systems engineering since MICE were not even available for personal computers..I have NEVER seen a brand, of any sort, come OTB with malware.
This is just unreal...and altogether unacceptable. Lenovo is a brand I always have associated with top quality, best practices trustworthy security. The brand has been rock solid, but sliding for years, and lately I have been having some concerns about it's Chinese home...increasingly concerning to me in light of technology security and attacks originating from China. We all know that everything from iPhones to Whirlpool Dishwashers are made in China, but to actually run and HQ this operation there concerns me...
I am about done at this point. I have never, in my career or my life, ever been the 'victim' of a OTB malware device.
I have spent over three hours trying to eradicate the Superfish junk. I worked for an hour to purge two games, also dated at manufacturing time.
I am viewing source for my site work and I see this includes in the header for Best Deals, and McAffee wont detect it, MalwareBytes wont get it, and I am working in CCleaner and Revo Uninstaller and spending hours of precious time I should be working, trying to eradicate my brand new device of a known, malicious set of scripts and apps that were shipped from the factory. I have lost about a half of a day of productivity, and if anyone here is a freelance, consultant, or engineer; they know time is absolutely scarce and deadlines are over our heads; which is why we purchased Lenovo's to begin with.
This is a very sad day, I am sad to see my favorite brand go to the dump like this, exploit us, and cause me personal risk that a major company took part in.
Lenovos support on the issue is outright denial. They have not attempted to push an update to eradicate this hardware, which implements them as knowing accesses as far as I am concerned.
Let me make this clear: NO PROGRAM; of ANY calibre, used for ANY device, should ever (EVER!) interface between my keyboard and a HTTPS site.
I have a few more hours, its after 12PM now, I will keep looking for a way to remove this junk, but I wanted to vent my frustration, and I think we need to consider returning our Lenovo device and looking at a solid American brand like Dell maybe, I don't know. This is absurd, and Lenovos inaction definitely indicates some level of knowledge, and conspiracy to commit sabotage, and distribute malware/spyware to consumers; many of whom are working in sensitive high security projects. I cannot come to any other conclusion after Lenovos refusing to deal with this."
02-19-2015 12:40 AM
This is a horrible response, I am sorry.
This is totally unacceptable. I have no idea why you would do this, but it is definately Malware, as the very defintion of Malware is unwanted software that is a nuisance to remove and causes unwanted actions, or jeopardizes security of a machine.
I am really disappointed and will be returning my device and strongly advocating the issue for awareness acrost the internet. This brand should be avoided, its nationality was already shady, but its indifferent atttitude towards allowing us to even remove the software iin question, is an outright implication of guiilt as far as I can tell.
Why do I say this? Because systems engineers, power users, and security concerned agencies and firms cannot have apps that discretely install programs, are difficult (impossible) to remove, or ..ahem...inject source code into our sites.
This is an app you claim is a harmless shopping app that uses visualization, and all I need to do is opt out? WHERE? And when did I ever "opt in"?
I did not opt in, it was not in the EULA, TOS or any other notice during install or afterwards.
This is most deefinately malware and Lenovo needs to step in and remove it, eraddicate it. i refuse to compromise privacy and security for the shopping anlyytics of a company trying to profit off of spying on my online behavior and trying to slip me new places to buy junk, not from a company in China, thats for sure.
As a formally educated network, software and database engineer, with a number of advanced security classes under my belt, as well as over 15 years of working in the field, I know what innapropriate bundling and indifferent response is, and I am fully aware that a Chinese company slipping in malware is a poor choice for business.
GET A GRIP
02-19-2015 12:52 AM
This post might get deleted. Sure, go ahead, delete it, but read it first.
I used to be a long-time loyal Lenovo customer. I've bought 4 laptops for professional work, experimental and personal use over the the past 7 years. I was well aware of some of the bloatware lenovo and other laptop manufacturers tend to install, but I always wipe my drive and install Linux or OpenBSD, so I was mostly naive of the extent of this situation. That said, I have permanently, heartbreakingly blacklisted Lenovo from my list.
A software which runs without my implicit permission, influences search behavior, sets an SSL cert man-in-the-middle (so you're tracking my HTTPS info as well?), introduces a blatant vulnerability just to gain a few more $$$ for targeted advertising (shared keys? In the industry I work in, I find -- increadibly silly -- security vulnerabilities, all the time. This is by far the worst of the lot, not to mention by a company I had once respected).
By introducing superfish, you have personally insulted me as a customer. You have lost my trust. I'm not personally affected because I could have ended up using your install -- I am personally affected because my friends and familly might be -- they might be the ones ending up getting their credentials stolen, because you decided to install this software for your own benefit (under the guise of it being useful to other customers). That puts me in a vulnerable position, too, because their information being stolen might mean mine gets taken along with it.
The people representing Lenovo should own up to it rather than defend their mistake and the company's image. It's unprofessional to say that "you could just uninstall, it takes a few seconds," when 1) that's not the point at all, and 2) uninstalling does not get rid of the SSL MITM, leaving you vulnerable.
I will make sure people and the companies I work with know about this when they contemplate purchasing any of your products.
Goodbye, Lenovo. It was good while it lasted, but you blew it.
02-19-2015 01:03 AM
This is really unacceptable.
I spent several hours the other day investigating how Superfish had come to be on a laptop my mother had bought and used. She had managed to get other adware on it, but even after removal of the other adware, I noticed that google search results were being tampered with. Superfish was doing this using a certificate that it had installed.
Every single HTTPS connection made with this laptop has potentially passed through an untrusted and unknown third party.
The solution suggested by several people here to reinstall Windows or buy from another manufacturer is garbage. It isn't easy for an average user to reinstall Windows. It is also time consuming - that's at least an hour of time taken up. But if the laptop has been used for a number of months and has programs and data, it is going to take a lot longer. And it's too late to buy from another manufacturer. Please stop blaming the victim.
Lenovo - the only accpetable path here is for Superfish to be automatically removed from all machines. This includes removing the certificate.
You also need to warn people that they have been put at risk of data theft and their private information may have been leaked. This needs to be clear and express to all users.
02-19-2015 01:23 AM - edited 02-19-2015 02:39 AM
Add me to the list.
I've been a Thinkpad user since the X60, when my Carbon dies, I'm out.
I always make a Linux fresh install when I get my new laptops so I've never been affected but it is a matter of principle. Installing crapwares is one (shameful) thing, jeopardizing users/customers security is another.
Is there anything else - at hardware level - we should be made aware of?
Admin Edit; Profanity removed; No posts, forum IDs or email addresses shall contain profanity (implied or otherwise)