Superfish Lenovo spears their customers.
Although Lenovo apparently knew about the problems with this potentially unwanted programs, PUP, that turned out to be really bad, they did not notify customers until the story was broken by Marc Rogers on February 19. When are big companies going to realize that doing the right thing is not optional. One can understand from the Forbes article, mentioned in the Slate story below, that the Superfish Lenovo relationship seemed reliable.
Companies must be held accountable for the components the include in there wares!
Spoiler Alert – Bad actors in the market place this kind of stupid thing on systems all the time and need to be punished severely by consumers, and people with impact in the IT community.
Summary:
This advisory only applies to Lenovo Notebook products. (Consumer products, not enterprise class systems.
(ThinkPad, ThinkCentre, Lenovo Desktop, ThinkStation, ThinkServer and System x products are not impacted.
Superfish Lenovo was previously included on some consumer notebook products shipped between September 2014 and February 2015 to assist customers with discovering products similar to what they are viewing. However, user feedback was not positive, and we responded quickly and decisively:
- Superfish has completely disabled server side interactions (since January) on all Lenovo products so that the software product is no longer active, effectively disabling Superfish for all products in the market.
- Lenovo ordered the pre-load removal in January.
- We will not preload this software in the future.
Vulnerabilities have been identified with the software, which include installation of a self-signed root certificate in the local trusted CA store. The application can be uninstalled; however, the current uninstaller does not remove the Superfish root certificate.
From <http://support.lenovo.com/us/en/product_security/superfish?>
This presents a security nightmare for affected consumers.
- Superfish replaces legitimate site certificates with its own in order to compromise the connections so it can inject its adverts. This means that anyone affected by this adware cannot trust any secure connections they make.
- Users will not be notified if the legitimate site’s certificate has been tampered with, has expired or is bogus. In fact, they now have to rely on Superfish to perform that check for them. Which it does not appear to do…
Read more From <http://marcrogers.org/2015/02/19/lenovo-installs-adware-on-customer-laptops-and-compromises-all-ssl/>
Tekmar and our staff strongly advise all computer users to check for this and other invasive adware and malware
- Here is s snapfish specific tool https://filippo.io/Badfish/
- See other bad actors here… take action.
“Lenovo pre-installed Superfish adware on its laptops, it betrayed its customers and sold out their security. It did it for no good reason, and it may not even have known what it was doing. I’m not sure which is scarier. The various news reports of this catastrophe don’t quite convey the sheer horror and disbelief with which any technically minded person is now reacting to Lenovo’s screw-up. Security researcher Marc Rogers wrote that it’s “quite possibly the single worst thing I have seen a manufacturer do to its customer base. … I cannot overstate how evil this is.” He’s right. The Lenovo Superfish security hole is really, really bad.”
Slate author David Auerbach says “Lenovo sold its soul to the devil and forgot to get much in return.” However the closest case is not Sony in 2006. There are many software giants selling screen space to unscrupulous vendors like the superfish people who lead unsuspecting consumers down the primrose path. Other Hardware vendors also put bloat-ware on their devices that endanger their customers.
Users of computer, that includes any devices that connect to the internet, should not look the other way after this outrage by a singled-out hardware vendor. They all do it is not an excuse either. Everybody must be vigilant, keep your devices clean and clear of unwanted software. Let the company’s that supply hardware and software that they are responsible for the well-being of there customers. Take action to keep yourself protected.