Cybersecurity , Mobility , Technology

Lenovo Drops Superfish Adware

PC Manufacturer Does About-Face, Issues Mea Culpa
Lenovo Drops Superfish Adware

Lenovo, the world's largest PC manufacturer, says it will cease adding Superfish adware to its devices and help customers delete the software from their computers as quickly as possible. That represents a sharp about-face by Beijing-based Lenovo, which until Feb. 19 was defending the add-on software as a feature (see Lenovo Slammed Over Superfish Adware).

See Also: 2016 Enterprise Security Study - the Results

Lenovo faced mounting criticism from information security researchers over its attempt to downplay its decision to pre-install the Superfish Visual Discovery adware in its Windows builds. Critics also targeted remarks from Lenovo officials, who had continued to assert that any risk posed by the software - which installed the same root certificate on all devices - is only "theoretical."

Now, however, Lenovo has shifted gears, issuing a "Superfish vulnerability" security warning, which notes that it included Superfish Visual Discovery "on some consumer notebook products shipped between September 2014 and February 2015," and that it poses a "man-in-the-middle attack" risk for any system on which it has been installed. Lenovo rates the severity of the potential security threat as "high," and notes that while the software itself can be easily removed from any device, "the current uninstaller does not remove the Superfish root certificate." Lenovo says that after poor user feedback regarding Superfish, it had deactivated the related server in January, meaning that no more Superfish-powered results were being injected into users' search queries.

Lenovo also issued the following mea culpa via Twitter: "We're sorry. We messed up. We're owning it. And we're making sure it never happens again." It also released detailed instructions for removing the adware, as well as determining if the risky Superfish digital certificate is installed, and how to remove it. The company also published a full list of all machines on which Superfish was installed.

"Affected users will need to first manually remove the Superfish application and subsequently to revoke and remove the Superfish root certificate," warns Rik Ferguson, vice president of security research for security software vendor Trend Micro, and a cybersecurity adviser to Europol, in a blog post that characterizes the Superfish software not as adware, but spyware.

In response to a request for comment on the matter, Adi Pinhas, CEO of Palo Alto, Calif.-based Superfish, tells Information Security Media Group: "Superfish has not been active on Lenovo laptops since December. It is important to note: Superfish is completely transparent in what our software does, and at no time were consumers vulnerable - we stand by this today."

Researchers Demonstrate Risks

Security researchers say the risk posed by Superfish is that it installs the same root certificate onto all Windows machines on which it resided, which it then uses to sniff - by decrypting and then re-encrypting - all SSL-encrypted traffic. As a result, would-be attackers who possess a copy of this certificate could launch a man-in-the-middle attack. "If this software or any of its control infrastructure is compromised, an attacker would have complete and unrestricted access to affected customers banking sites, personal data and private messages," CloudFlare principal security researcher Marc Rogers warns.

Robert David Graham, who heads information security research firm Errata Security, says this problem is not academic, because he - and other researchers - have cracked the Superfish digital certificate. "The consequence is that I can intercept the encrypted communications of SuperFish's victims - people with Lenovo laptops - while hanging out near them at a cafe WiFi hotspot."

While the digital certificate installed by Superfish was encrypted, Graham says that by using a dictionary-based attack, he was able to crack the password - "komodia" - in just 10 seconds.

Komodia: Warnings Sounded

That password is the same as an Israeli company named Komodia, which according to a cached version of its website sells a software development kit that can be used to "inject JavaScript into any place in the HTML - HTTP or HTTPS - without relying on browser extensions," which is what Superfish does. The company's SDK also offers "global proxy interception," which is designed to bypass defenses that would otherwise counteract ad-injection software.

A Komodia spokesman declined to comment about whether Superfish is one of its customers. But since that potential connection came to light, Komodia has been at the receiving end of distributed denial-of-service attack attacks, with its website resolving to the following error message: "Site is offline due to DDOS with the recent media attention."

CloudFlare's Rogers says the exact same certificate - with the same password - appears to also be used in a range of products, including the "Keep My Family Secure" parental control software and the Kurupira Webfilter. "This means that those dodgy certificates aren't limited to Lenovo laptops sold over a specific date range," Rogers warns. "It means that anyone who has come into contact with a Komodia product, or who has had some sort of Parental Control software installed on their computer, should probably check to see if they are affected."

Lenovo spokeswoman Wendy Fung confirmed that Lenovo received financial compensation for bundling Superfish software onto PCs. But she declined to detail the specifics of that arrangement, telling Information Security Media Group that "the relationship with Superfish is not financially significant."

Lenovo has promised to avoid pre-installing adware moving forward, with chief technology officer, Peter Hortensius, telling The Wall Street Journal that "we didn't do enough" due diligence before bundling Superfish. But he has continued to downplay the real-world risk posed by the tool as being security researchers' "theoretical concerns."

Hortensius says Lenovo is now preparing a tool "that removes all traces of the app from people's laptops," including the digital certificate that it installs. "Once the app-wiping software is finished ... we'll issue a press release with information on how to get it," he says.

But Lenovo declined to comment on queries about whether it would offer a product recall. Instead, it appears that eliminating the software from affected PCs will require users to first know that there's a problem, and then find and run the related update. Given the number of people who never manually update their PCs - not least for a piece of software they may never know was installed in the first place, never mind what it does - that means the risky Superfish root certificate may persist indefinitely on numerous systems.

Demand: Bare-Metal PCs

If there's one upside to the Superfish spyware saga, it's the potential for consumer outrage to make PC manufacturers rethink their "bloatware"-bundling ways. "Longer term, I believe manufacturers should be obliged to offer the option of buying all PCs as a bare-metal option, i.e. with no operating system pre-installed," Trend Micro's Ferguson says. "Not only would this reduce cost to the user, it would also increase freedom of choice of operating system and hand full control back to the owner of the device."

In the Android smart phone and tablet ecosystem, for example, Google does this via its Nexus devices. All other major OEMs, however, "skin" their devices and install a customized version of Android.

But Lenovo has dismissed that possibility. "In general, we get pretty good feedback from users on what software we pre-install on computers," Lenovo CTO Hortensius tells The Wall Street Journal. "What we're going to do in the next few weeks is dig deeper, and work with users, industry experts and others to see how we can improve what we do around software that comes installed on consumers' computers. The outcome could be a clearer description of what software is on a user's machine, and why it's there."


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network