Lenovo pre-loads 'Superfish' adware on some new laptops

[Scorpus]

Update #3  (Feb 21): Lenovo has released an automatic Superfish removal tool. In addition, the company updated their statement regarding the Superfish adware controversy acknowledging the security risks and stating the company is now "focused on fixing" their mistake. 

Update #2  (Feb 20): Microsoft has updated Windows Defender so it will remove Superfish adware by default.

Update (Feb 20): Lenovo has issued an official statement this morning (added at the bottom of the story) addressing the controversy surrounding Superfish. According to the company, they haven't found any evidence to substantiate security concerns, but they're responding to customer concerns by dropping it from all past and future systems they sell. We've added the full statement at the end of this story.

The original story follows below:

Lenovo has been caught installing a type of adware, known as 'Superfish', onto some new consumer laptops that activates when a user powers on and sets up their machine for the first time.

Superfish hijacks your web browser to inject their own selection of ads into webpages, including Google searches. On top of that the adware installs a self-signed certificate authority, which allows it to hijack secure connections such as banking websites, either to serve ads or snoop on users.

This type of behavior, especially hijacking secure connections for whatever purpose, is widely condemned and potentially malicious. Most anti-malware products will warn you against installing Superfish, or block the installer altogether, as its behavior is unwanted and unwarranted.

Bundling adware on new systems is a dodgy and dangerous move for one of the largest PC manufacturers in the world. Lenovo community administrator Mark Hopkins stated that Superfish is merely a helpful tool that "instantly analyzes images on the web and presents identical and similar product offers that may have lower prices", though its issues are clear and most users don't want the software installed at all.

When hackers get Superfish root cert private key, they will be able to make their viruses look like Microsoft wrote them to Lenovo customers

— InfoSec Taylor Swift (@SwiftOnSecurity) February 19, 2015

For now, Lenovo has stopped bundling Superfish with new systems, although that's only until the company behind the adware can tweak it to make it less aggressive. Unless Lenovo has a change of heart, they will continue to bundle the adware with new systems in the near future.

As for those that are affected by Superfish, there are ways to remove the software from your system, though it's more complex than simply using an uninstaller. Purchasing a Lenovo laptop with Microsoft's Signature Experience on-board will also prevent Superfish, and any other crapware, from being installed in the first place.

Lenovo has since responded to the controversy with the following statement:

Superfish was previously included on some consumer notebook products shipped in a short window between September and December to help customers potentially discover interesting products while shopping. However, user feedback was not positive, and we responded quickly and decisively:

• Superfish has completely disabled server side interactions (since January) on all Lenovo products so that the product is no longer active. This disables Superfish for all products in market.
• Lenovo stopped preloading the software in January.
• We will not preload this software in the future.

We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns. But we know that users reacted to this issue with concern, and so we have taken direct action to stop shipping any products with this software. We will continue to review what we do and how we do it in order to ensure we put our user needs, experience and priorities first.

To be clear, Superfish technology is purely based on contextual/image and not behavioral. It does not profile nor monitor user behavior. It does not record user information. It does not know who the user is. Users are not tracked nor re-targeted. Every session is independent. Users are given a choice whether or not to use the product. The relationship with Superfish is not financially significant; our goal was to enhance the experience for users. We recognize that the software did not meet that goal and have acted quickly and decisively.

We are providing support on our forums for any user with concerns. Our goal is to find technologies that best serve users. In this case, we have responded quickly to negative feedback, and taken decisive actions to ensure that we address these concerns. If users still wish to take further action, detailed information is available at https://forums.lenovo.com.

Permalink to story.

https://www.techspot.com/news/59797-lenovo-superfish-adware.html

 

[Burty117]

Meh, Whenever I buy anyone a new Laptop from almost any company I do a full wipe and re-install of WIndows anyway xD it's usually quicker than manually installing all the crapware.

 

[Skidmarksdeluxe]

Meh, Whenever I buy anyone a new Laptop from almost any company I do a full wipe and re-install of WIndows anyway xD it's usually quicker than manually installing all the crapware.

You beat me to it, I was going to say what's so complicated about doing a format and reinstalling your own copy of Windows, it's what I'd do anyway.
All pre built systems comes with a truck load of useless bloat/crapware and I couldn't be bothered taking ages to get rid of it all via uninstallers and other more complicated means. I do the same thing with smartphones, root them and get rid of all the garbage, you'd be surprised by the amount of valuable storage space you reclaim which was rightfully yours in the 1st place.

 

[Kibaruk]

The main problem with the format the computer theory, is that you loose the original windows bundled license.

 

[Burty117]

The main problem with the format the computer theory, is that you loose the original windows bundled license.

Unless you buy the machine with a Windows Recovery Disk, Or at least that's what I do for HP laptops

 

[JakeT]

Note to self, do not ever suggest buying or buy a Lenovo laptop, even if I can format and start all over (which is a big waste of time).

 

[Kibaruk]

Unless you buy the machine with a Windows Recovery Disk, Or at least that's what I do for HP laptops

Which comes with crapware pre-loaded?

 

[Burty117]

Which comes with crapware pre-loaded?

Nope, or at least I've never had that, you normally get another "Driver" disk which then installs all the crap. Dell do the same thing. You just throw away the disk and download them manually, you get the benefits of the newer drivers but without the crap.

 

[yRaz]

While I'm happy all the tech savy people on here know how to format and install windows, but this is a major problem for 1) people who cannot format and install windows and 2) for people who are simply not aware of the problem

 

[Guest]

1. The serial should be in the BIOS, but if not use Belarc Advisor to easily grab your serial.
2. Shoot over to Microsoft and download a copy of Windows. I downloaded mine via bittorrent and confirmed the hash because it's way faster. 14,200 KBPS vs 2,100
3. Burn it or make a bootable flash drive with Rufus or a recovery partition to install from.

 

[oldikes]

Note to self, do not ever suggest buying or buy a Lenovo laptop, even if I can format and start all over (which is a big waste of time).

even though apart from this lenovo is pretty much at the top with maybe 1 or 2 others in terms of good laptops/support?

 

[Burty117]

1. The serial should be in the BIOS, but if not use Belarc Advisor to easily grab your serial.
2. Shoot over to Microsoft and download a copy of Windows. I downloaded mine via bittorrent and confirmed the hash because it's way faster. 14,200 KBPS vs 2,100
3. Burn it or make a bootable flash drive with Rufus or a recovery partition to install from.

Agree with your post but I've had issues with newer laptops on the first point. I've found Belarc Advisor and Magical Jelly Bean to be quite unreliable and giving false info when it comes to the Windows License Key. In a lot of modern Business Laptops I've also found it impossible to get the Key out of the BIOS, it must be there as the official recovery disks for said laptops work straight away but I cannot always get the serial out of the BIOS :/

Still though, Even with the hassle, I always re-build laptops, they just run better and are quicker than the standard install it comes with, even with all the crapware uninstalled.

 

[Jad Chaar]

Meh, Whenever I buy anyone a new Laptop from almost any company I do a full wipe and re-install of WIndows anyway xD it's usually quicker than manually installing all the crapware.

Exactly! You never know what manufacturers put on there...

 

[Scshadow]

The main problem with the format the computer theory, is that you loose the original windows bundled license.

No you don't. Not even close. Your license key is still yours. And now conveniently tucked away in the BIOS is your license key, you can completely format any new laptop and use a generic universal iso install disk image and it will automatically install that key and the appropriate windows feature set for that key.

 

[tonylukac]

Dell used ti,

 

[Ganshyam]

You should just uninstall Superfish like I did. Lenovo themselves have published instructions on how to tackle this on their official forum - http://goo.gl/1wCvYQ . Hope this helps

 

[JohnCB]

You should just uninstall Superfish like I did. Lenovo themselves have published instructions on how to tackle this on their official forum - http://goo.gl/1wCvYQ . Hope this helps

Format is the only option here. They've breached your trust, who's to say there isn't more garbage floating around that just hasn't been found yet?

 

[abysal]

Too late Lenovo; I'll add you to the list of companies I'm avoiding.

 

[JakeT]

Why don't I believe what they say now? Lenovo is off of my choice list for my next laptop. As soon as the USB3.2 standard is common I'm buying

 

[tragicallyhip]

God these corporation's are kind to themselves!, a quick apology and their off the hook, oh sure people are going to be pissed but soon enough all will be forgotten, consumers are notoriously myopic when it comes to this stuff.

 

[valentyn0]

What a bunch of baloney ! I started this morning my browser (firefox) and suddenly I see 2 ads placeholders on the left and right of my screen so I went to check my extensions and voilà: some shitty extension installed by itself that made possible to bypass even my ADB + antiblock ADB !!

I went immediately into my latest adwcleaner tool update and guess what it found ? SUPERFISH !! and im on desktop, no lenovo here !!

IT removed everything, embedded into my firefox pref.js settings and profile that smelled of fish* and now my PC is clean of this garbage !

So lenovo lies when they say it comes preloaded only with lenovo laptops, it seems they have a bigger target out there !

 

[amstech]

The main problem with the format the computer theory, is that you loose the original windows bundled license.

Clonezilla and images my friend, come join us in 2015.

 

[niklabs]

So much ignorance here and elsewhere: I will not buy Lenovo again and such… No Lenovo is top brand with excellent price/quality ratio so I would buy another their products in the future just read carefully before buying any tech nowadays. At the end Superfish is made just to show ads with similar items in which the computer owner is interested. It doesn't steal money, but yet it opens a big backdoor for hackers now which is the biggest problem. Tshis smells as big conspiracy from the competition as their sales are affected by the good results Lenovo made last year.

 

[oldikes]

So lenovo lies when they say it comes preloaded only with lenovo laptops, it seems they have a bigger target out there !

*facepalm*

 

[cliffordcooley]

*facepalm*

Yep, I will join you. As if all Superfish infected machines was targets of Lenovo.