Recently buy a PC from Lenovo (HKG: 0992)? It might have shipped with a nasty piece of adware — which borderlines on malware — called Superfish.
Superfish is piece of manufacturer bloatware that dubs itself as a “visual search engine”.
However many users have complained that it has been injecting ads into a user’s web browser.
According to company representatives, it instantly analyses images on the web and presents identical and similar product offers that may have lower prices, helping users search for images without knowing exactly what an item is.
While most software like this is passed over and ignored by customers, this nasty piece of code does more: its ad injection is done via user’s web browser via a man-in-the-middle root certificate, effectively hijacking the pathway between the browser and the server. This poses a potential security risk if Superfish is somehow compromised, the SSL connection between a user’s browser and a secure website, like a bank, would be vulnerable to eavesdropping by a third party.
This is a problem. #superfish pic.twitter.com/jKDfSo99ZR
— Kenn White (@kennwhite) February 19, 2015
Superfish has been categorized by nearly a dozen antivirus providers as adaware, a trojan, or an otherwise potentially harmful and unwanted program.
A Lenovo representative said on a customer support forum that the software will be removed from future Lenovo machines, and work is underway to create a patch to remove the ad injection.
Update: Lenovo sent in this statement:
Superfish has completely disabled server side interactions (since January) on all Lenovo products so that the product is no longer active. This disables Superfish for all products in market.
2) Lenovo stopped preloading the software in January.
3) We will not preload this software in the future.
We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns. But we know that users reacted to this issue with concern, and so we have taken direct action to stop shipping any products with this software. We will continue to review what we do and how we do it in order to ensure we put our user needs, experience and priorities first.
To be clear, Superfish technology is purely based on contextual/image and not behavioral. It does not profile nor monitor user behavior. It does not record user information. It does not know who the user is. Users are not tracked nor re-targeted. Every session is independent. Users are given a choice whether or not to use the product. The relationship with Superfish is not financially significant; our goal was to enhance the experience for users. We recognize that the software did not meet that goal and have acted quickly and decisively.
We are providing support on our forums for any user with concerns. Our goal is to find technologies that best serve users. In this case, we have responded quickly to negative feedback, and taken decisive actions to ensure that we address these concerns. If users still wish to take further action, detail information is available at http://forums.lenovo.com.
