Showing results for 
Search instead for 
Do you mean 
Reply
What's DOS?
Posts: 1
Registered: ‎02-18-2015
Location: San Diego
Message 31 of 159 (13,182 Views)

Re: Lenovo Pre-instaling adware/spam - Superfish - powerd by VisualSearch

Unfortunately, there are still many unanswered questions:

 

1. Does Superfish use the same CA certificate on all installs? If so, this this goes way beyond a "potentially unwanted" program and becomes a huge security vulnerability. Since the corresponding private key would be included with any copy of the Superfish software, it would be relatively easy for anyone to intercept ANY of your SSL traffic, making your computer completely insecure for things like online banking.

 

2. If the CA certificate is generated locally, does it use a proper source of entropy? If the private key it generates is insufficiently random, then an attacker might still be able to intercept your SSL traffic.

 

3. If the user rejects the Superfish terms, is the certificate still installed?

 

4. If Superfish Visual Discovery is uninstalled, does it also remove the certificate? If not, your computer could remain vulnerable even after you remove it.

 

5. Is the Superfish certificate trusted for other uses, such as code signing?

Paper Tape
Posts: 3
Registered: ‎02-18-2015
Location: Seattle
Message 32 of 159 (12,930 Views)

Re: Lenovo Pre-instaling adware/spam - Superfish - powerd by VisualSearch

There is also a "Root Agency" certificate located in the "Intermediate CAs" store, what is this ? Why is it there ? This certificate has no information to trace it, nor any information describing its use, and it allows signing everything.

 

I bought a Yoga 2 11 2 months ago, and needless to say, I want to return this piece of malware and get my money back !

Fanfold Paper
Posts: 4
Registered: ‎02-18-2015
Location: :3
Message 33 of 159 (12,720 Views)

Re: Lenovo Pre-instaling adware/spam - Superfish - powerd by VisualSearch

[ Edited ]
802.11n
Posts: 308
Registered: ‎03-30-2011
Location: CA
Message 34 of 159 (12,181 Views)

Re: Lenovo Pre-instaling adware/spam - Superfish - powerd by VisualSearch

[ Edited ]

Mark_Lenovo wrote:
...As for units already in market, we have requested that Superfish auto-update a fix that addresses these issues...

 

 


 

Has such an update been provided yet?  Does it/will it simply uninstall the program to stop the ads or will it also rectify the certificate/security issue?

HDMI
Posts: 235
Registered: ‎10-21-2012
Location: Switzerland
Message 35 of 159 (11,869 Views)

Re: Lenovo Pre-instaling adware/spam - Superfish - powerd by VisualSearch

Mark, thanks for your clarifications!

However, a few ardent issues remain open:

1) Superfish Visual Discovery is just the algorithmic engine. Nice, though perhaps an unwanted resource hogging adware.

2) The other, much darker, side of this story is Superfish's communication protocol stack, its snooping/monitoring, its proxy and MITM, arguably classifed as malware or virus. That's the culprit at stake, literally. See links
https://twitter.com/shaver/status/568216937181749248
http://www.engadget.com/2015/02/19/lenovo-superfish-adware-preinstalled/
http://thenextweb.com/insider/2015/02/19/lenovo-caught-installing-adware-new-computers/

3) How can you classify "our consumer systems"?
Any of them can and are being used also for business... that's one of Lenovo's inheritances from IBM's ThinkPad line.

Net: Consumer or business, such adware + malware is NOT acceptable.

Particularly in today's increasingly fragmented and tensioned market space, where no western company/user would accept such exposures from a Chinese vendor; nor viceversa. No user is supposed to monitor her traffic with wireshark to catch MITM and proxy installs.

This event prompts me to reconsider more than a few decisions - until Lenovo delivers CLEAN machines, just Windows + device drivers.
Blue Screen Again
Posts: 7
Registered: ‎02-18-2015
Location: Seattle, WA USA
Message 36 of 159 (11,854 Views)

Re: Lenovo Pre-instaling adware/spam - Superfish - powerd by VisualSearch

Same as an earlier post I made on this subject:

 

"

UN...BELIEVABLE..WOW!

 

I have been working in tech software and systems engineering since MICE were not even available for personal computers..I have NEVER seen a brand, of any sort, come OTB with malware.

 

This is just unreal...and altogether unacceptable. Lenovo is a brand I always have associated with top quality, best practices trustworthy security. The brand has been rock solid, but sliding for years, and lately I have been having some concerns about it's Chinese home...increasingly concerning to me in light of technology security and attacks originating from China. We all know that everything from iPhones to Whirlpool Dishwashers are made in China, but to actually run and HQ this operation there concerns me...

 

I am about done at this point. I have never, in my career or my life, ever been the 'victim' of a OTB malware device.

 

I have spent over three hours trying to eradicate the Superfish junk. I worked for an hour to purge two games, also dated at manufacturing time. 

 

This app and its associated scripts are injecting my browser with a JavaScript includes file for Best Deals...

 

I am viewing source for my site work and I see this includes in the header for Best Deals, and McAffee wont detect it, MalwareBytes wont get it, and I am working in CCleaner and Revo Uninstaller and spending hours of precious time I should be working, trying to eradicate my brand new device of a known, malicious set of scripts and apps that were shipped from the factory. I have lost about a half of a day of productivity, and if anyone here is a freelance, consultant, or engineer; they know time is absolutely scarce and deadlines are over our heads; which is why we purchased Lenovo's to begin with.

 

This is a very sad day, I am sad to see my favorite brand go to the dump like this, exploit us, and cause me personal risk that a major company took part in. 

 

Lenovos support on the issue is outright denial. They have not attempted to push an update to eradicate this hardware, which implements them as knowing accesses as far as I am concerned.

 

Let me make this clear: NO PROGRAM; of ANY calibre, used for ANY device, should ever (EVER!) interface between my keyboard and a HTTPS site. 

 

I have a few more hours, its after 12PM now, I will keep looking for a way to remove this junk, but I wanted to vent my frustration, and I think we need to consider returning our Lenovo device and looking at a solid American brand like Dell maybe, I don't know. This is absurd, and Lenovos inaction definitely indicates some level of knowledge, and conspiracy to commit sabotage, and distribute malware/spyware to consumers; many of whom are working in sensitive high security projects. I cannot come to any other conclusion after Lenovos refusing to deal with this."

Blue Screen Again
Posts: 7
Registered: ‎02-18-2015
Location: Seattle, WA USA
Message 37 of 159 (11,724 Views)

Re: Lenovo Pre-instaling adware/spam - Superfish - powerd by VisualSearch

This is a horrible response, I am sorry.

 

First of all, I was never asked if I wanted to enroll in any SuperFish software. Second of all, every software, down to the kernal itself, should be opt out, or easy uninstall, for a business machine. Third of all, your SuperFish app is injecting JavaScript header into my web pages. 

 

This is totally unacceptable. I have no idea why you would do this, but it is definately Malware, as the very defintion of Malware is unwanted software that is a nuisance to remove and causes unwanted actions, or jeopardizes security of a machine.

 

I am really disappointed and will be returning my device and strongly advocating the issue for awareness acrost the internet. This brand should be avoided, its nationality was already shady, but its indifferent atttitude towards allowing us to even remove the software iin question, is an outright implication of guiilt as far as I can tell.

 

Why do I say this? Because systems engineers, power users, and security concerned agencies and firms cannot have apps that discretely install programs, are difficult (impossible) to remove, or ..ahem...inject source code into our sites.

 

This is an app you claim is a harmless shopping app that uses visualization, and all I need to do is opt out? WHERE? And when did I ever "opt in"?

 

I did not opt in, it was not in the EULA, TOS or any other notice during install or afterwards.

 

This is most deefinately malware and Lenovo needs to step in and remove it, eraddicate it. i refuse to compromise privacy and security for the shopping anlyytics of a company trying to profit off of spying on my online behavior and trying to slip me new places to buy junk, not from a company in China, thats for sure.

 

As a formally educated network, software and database engineer, with a number of advanced security classes under my belt, as well as over 15 years of working in the field, I know what innapropriate bundling and indifferent response is, and I am fully aware that a Chinese company slipping in malware is a poor choice for business.

 

GET A GRIP

What's DOS?
Posts: 1
Registered: ‎02-19-2015
Location: Algeria
Message 38 of 159 (11,612 Views)

Re: Lenovo Pre-instaling adware/spam - Superfish - powerd by VisualSearch

This post might get deleted. Sure, go ahead, delete it, but read it first.

 

I used to be a long-time loyal Lenovo customer. I've bought 4 laptops for professional work, experimental and personal use over the the past 7 years. I was well aware of some of the bloatware lenovo and other laptop manufacturers tend to install, but I always wipe my drive and install Linux or OpenBSD, so I was mostly naive of the extent of this situation. That said, I have permanently, heartbreakingly blacklisted Lenovo from my list.

 

A software which runs without my implicit permission, influences search behavior, sets an SSL cert man-in-the-middle (so you're tracking my HTTPS info as well?), introduces a blatant vulnerability just to gain a few more $$$ for targeted advertising (shared keys? In the industry I work in, I find -- increadibly silly -- security vulnerabilities, all the time. This is by far the worst of the lot, not to mention by a company I had once respected).

 

By introducing superfish, you have personally insulted me as a customer. You have lost my trust. I'm not personally affected because I could have ended up using your install -- I am personally affected because my friends and familly might be -- they might be the ones ending up getting their credentials stolen, because you decided to install this software for your own benefit (under the guise of it being useful to other customers). That puts me in a vulnerable position, too, because their information being stolen might mean mine gets taken along with it.

 

The people representing Lenovo should own up to it rather than defend their mistake and the company's image. It's unprofessional to say that "you could just uninstall, it takes a few seconds," when 1) that's not the point at all, and 2) uninstalling does not get rid of the SSL MITM, leaving you vulnerable.

 

I will make sure people and the companies I work with know about this when they contemplate purchasing any of your products.

 

Goodbye, Lenovo. It was good while it lasted, but you blew it.

Punch Card
Posts: 53
Registered: ‎07-21-2011
Location: United Kingdom
Message 39 of 159 (11,515 Views)

Re: Lenovo Pre-instaling adware/spam - Superfish - powerd by VisualSearch

This is really unacceptable.

I spent several hours the other day investigating how Superfish had come to be on a laptop my mother had bought and used. She had managed to get other adware on it, but even after removal of the other adware, I noticed that google search results were being tampered with. Superfish was doing this using a certificate that it had installed.

Every single HTTPS connection made with this laptop has potentially passed through an untrusted and unknown third party.

The solution suggested by several people here to reinstall Windows or buy from another manufacturer is garbage. It isn't easy for an average user to reinstall Windows. It is also time consuming - that's at least an hour of time taken up. But if the laptop has been used for a number of months and has programs and data, it is going to take a lot longer. And it's too late to buy from another manufacturer. Please stop blaming the victim.

Lenovo - the only accpetable path here is for Superfish to be automatically removed from all machines. This includes removing the certificate.

You also need to warn people that they have been put at risk of data theft and their private information may have been leaked. This needs to be clear and express to all users.

001
Paper Tape
Posts: 1
Registered: ‎02-19-2015
Location: Belgium
Message 40 of 159 (11,318 Views)

Re: Lenovo Pre-instaling adware/spam - Superfish - powerd by VisualSearch

[ Edited ]

Add me to the list.

 

I've been a Thinkpad user since the X60, when my Carbon dies, I'm out.

 

I always make a Linux fresh install when I get my new laptops so I've never been affected but it is a matter of principle. Installing crapwares is one (shameful) thing, jeopardizing users/customers security is another.

 

Is there anything else - at hardware level - we should be made aware of?

 

Admin Edit; Profanity removed; No posts, forum IDs or email addresses shall contain profanity (implied or otherwise)

Top Kudoed Authors