TechSpot

The harmful code recently found on Lenovo machines is now surfacing in other apps

By Justin Kahn
Feb 23, 2015
Post New Reply
  1. As we previously reported, Lenovo apparently pre-loaded a number of its machines with Superfish adware along with other malicious code. The appearance of the potentially harmful software was not only shocking to many, but also prompted researchers to look around...

    Read more
     
  2. Scshadow

    Scshadow TS Guru Posts: 469   +97

    "Lenovo apparently pre-loaded a number of its machines with Superfish adware along with other malicious code."

    Uh... I thought Superfish was the malicious code. Are you trying to say Lenovo just loaded up their machines with multiple pieces of malicious software? They're getting enough bad PR as it is, so lets try to be accurate here.
     
    ikesmasher and cliffordcooley like this.
  3. OneSpeed

    OneSpeed TS Addict Posts: 251   +73

    Superfish is bad enough, never mind letting other forms of self signing certificates reside in your OS. I've bought Lenovo for over 20 years now, and if I continue to do so, I'd format the drive (or install a new one) and do a clean install without any pre-loaded bloat.
     
  4. treeski

    treeski TS Evangelist Posts: 962   +205

    This is probably recommended regardless of which computer manufacturer you choose to buy from.
     
  5. Cycloid Torus

    Cycloid Torus TS Evangelist Posts: 1,662   +311

    The part of the story that really bothers me is the validity of Root and Intermediate Certificates. Apparently, the Komodio stuff is an open barn door for breaking HTTPS. This is bigger than Lenovo.

    It appears that Microsoft can evaluate certificates and has taken steps to clear up the Superfish mess - but what about the others?!?!

    Does anyone have a good 'white list'?
     
  6. "Self signing certificates" itself is not all that bad. It is a legit practice used by many, such as Anti-virus software and other security software. The real issue here is that the certificates are not done properly by Komodia by using _same key_ on all computer systems. The makes malicious attack practical. It is an issue easy to overlook though because to discover the vulnerability, one essentially have to intentionally crack the encryption to know the key, as done by the "security analyst" in this case.
     
  7. amstech

    amstech TechSpot Enthusiast Posts: 1,457   +606

    It's impressive work by Uncle Sam.
     
  8. Cycloid Torus

    Cycloid Torus TS Evangelist Posts: 1,662   +311

    So, it is a good tool gone bad due to sloppy origination by folks who should know better and were thought to be trustworthy. Sounds like it still needs policing. Is there a 'white list'? Do any of the security software folks (Symantec, Trend Micro, AVG, etc) deal with this? I found this KB at Microsoft ( http://support.microsoft.com/kb/931125 ) and I believe it applies, but I would really like to hear from an expert.
     
  9. Skidmarksdeluxe

    Skidmarksdeluxe TS Evangelist Posts: 6,513   +2,057

    You mean to say you've never done this before when buying any pre-built system? How strange. I thought it was a natural instinct for all us techie type folks to do a format and install a clean operating system before even unsealing the box the system comes shipped in. Not that you'd expect spyware to be pre installed by a reputable manufacturer, but at least to get rid of the tons of crapware & bloatware which is always a given.
     
  10. Cycloid Torus

    Cycloid Torus TS Evangelist Posts: 1,662   +311

    Since most of us are builders and we never buy pre-built systems, we may have overlooked that good advice to others. However, my guess is that if you are buying pre-built that you would be uncomfortable about wiping out your hard drive and choose instead to rely on your supposedly reputable OEM.
    Public square pillory is the only redress and a good white list for trusted CAs is necessary.
     
  11. Skidmarksdeluxe

    Skidmarksdeluxe TS Evangelist Posts: 6,513   +2,057

    I agree most of us are builders but how many of us build laptops? My bad, I should been more clear in my post. :oops:
     
  12. bexwhitt

    bexwhitt TS Addict Posts: 291   +55

    Buy wipe and clean install, getting hold of an ISO of windows is not hard, booting a DVD on a UEFI bios can be tricky though depending on the implementation.

    Microsoft would not dare put this sort of stuff into vanilla windows as they would get screwed by lawsuits also it's bad business
     
  13. Scshadow

    Scshadow TS Guru Posts: 469   +97

    Why waste the DVD? I create a USB stick with rufus. Format GPT for UEFI bios and I believe anything windows 8 and newer should boot without disabling secure boot. I'm not familiar with how they are signed but I haven't needed to disable secure boot in awhile. The original iso stays in my collection on my external and the USB key gets reused for my next project.
     
    Last edited: Feb 24, 2015

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...