Security The harmful code recently found on Lenovo machines is now surfacing in other apps

J

Justin Kahn

Posts: 752   +6
As we previously reported, Lenovo apparently pre-loaded a number of its machines with Superfish adware along with other malicious code. The appearance of the potentially harmful software was not only shocking to many, but also prompted researchers to look around...

[newwindow="https://www.techspot.com/news/59832-harmful-code-recently-found-lenovo-machines-now-surfacing.html"]Read more[/newwindow]
 
S

Scshadow

Posts: 636   +285
"Lenovo apparently pre-loaded a number of its machines with Superfish adware along with other malicious code."

Uh... I thought Superfish was the malicious code. Are you trying to say Lenovo just loaded up their machines with multiple pieces of malicious software? They're getting enough bad PR as it is, so lets try to be accurate here.
 
  • Like
Reactions: ikesmasher and cliffordcooley
O

OneSpeed

Posts: 432   +229
Scshadow said:
"Lenovo apparently pre-loaded a number of its machines with Superfish adware along with other malicious code."

Uh... I thought Superfish was the malicious code. Are you trying to say Lenovo just loaded up their machines with multiple pieces of malicious software? They're getting enough bad PR as it is, so lets try to be accurate here.
Click to expand...

Superfish is bad enough, never mind letting other forms of self signing certificates reside in your OS. I've bought Lenovo for over 20 years now, and if I continue to do so, I'd format the drive (or install a new one) and do a clean install without any pre-loaded bloat.
 
Cycloid Torus

Cycloid Torus

Posts: 4,712   +1,515
The part of the story that really bothers me is the validity of Root and Intermediate Certificates. Apparently, the Komodio stuff is an open barn door for breaking HTTPS. This is bigger than Lenovo.

It appears that Microsoft can evaluate certificates and has taken steps to clear up the Superfish mess - but what about the others?!?!

Does anyone have a good 'white list'?
 
G

Guest

"Self signing certificates" itself is not all that bad. It is a legit practice used by many, such as Anti-virus software and other security software. The real issue here is that the certificates are not done properly by Komodia by using _same key_ on all computer systems. The makes malicious attack practical. It is an issue easy to overlook though because to discover the vulnerability, one essentially have to intentionally crack the encryption to know the key, as done by the "security analyst" in this case.
 
Cycloid Torus

Cycloid Torus

Posts: 4,712   +1,515
So, it is a good tool gone bad due to sloppy origination by folks who should know better and were thought to be trustworthy. Sounds like it still needs policing. Is there a 'white list'? Do any of the security software folks (Symantec, Trend Micro, AVG, etc) deal with this? I found this KB at Microsoft ( http://support.microsoft.com/kb/931125 ) and I believe it applies, but I would really like to hear from an expert.
 
Skidmarksdeluxe

Skidmarksdeluxe

Posts: 8,645   +3,288
OneSpeed said:
Scshadow said:
"Lenovo apparently pre-loaded a number of its machines with Superfish adware along with other malicious code."

Uh... I thought Superfish was the malicious code. Are you trying to say Lenovo just loaded up their machines with multiple pieces of malicious software? They're getting enough bad PR as it is, so lets try to be accurate here.
Click to expand...

Superfish is bad enough, never mind letting other forms of self signing certificates reside in your OS. I've bought Lenovo for over 20 years now, and if I continue to do so, I'd format the drive (or install a new one) and do a clean install without any pre-loaded bloat.
Click to expand...
You mean to say you've never done this before when buying any pre-built system? How strange. I thought it was a natural instinct for all us techie type folks to do a format and install a clean operating system before even unsealing the box the system comes shipped in. Not that you'd expect spyware to be pre installed by a reputable manufacturer, but at least to get rid of the tons of crapware & bloatware which is always a given.
 
Cycloid Torus

Cycloid Torus

Posts: 4,712   +1,515
Skidmarksdeluxe said:
OneSpeed said:
Scshadow said:
"Lenovo apparently pre-loaded a number of its machines with Superfish adware along with other malicious code."

Uh... I thought Superfish was the malicious code. Are you trying to say Lenovo just loaded up their machines with multiple pieces of malicious software? They're getting enough bad PR as it is, so lets try to be accurate here.
Click to expand...

Superfish is bad enough, never mind letting other forms of self signing certificates reside in your OS. I've bought Lenovo for over 20 years now, and if I continue to do so, I'd format the drive (or install a new one) and do a clean install without any pre-loaded bloat.
Click to expand...
You mean to say you've never done this before when buying any pre-built system? How strange. I thought it was a natural instinct for all us techie type folks to do a format and install a clean operating system before even unsealing the box the system comes shipped in. Not that you'd expect spyware to be pre installed by a reputable manufacturer, but at least to get rid of the tons of crapware & bloatware which is always a given.
Click to expand...
Since most of us are builders and we never buy pre-built systems, we may have overlooked that good advice to others. However, my guess is that if you are buying pre-built that you would be uncomfortable about wiping out your hard drive and choose instead to rely on your supposedly reputable OEM.
Public square pillory is the only redress and a good white list for trusted CAs is necessary.
 
Skidmarksdeluxe

Skidmarksdeluxe

Posts: 8,645   +3,288
Cycloid Torus said:
Since most of us are builders and we never buy pre-built systems, we may have overlooked that good advice to others. However, my guess is that if you are buying pre-built that you would be uncomfortable about wiping out your hard drive and choose instead to rely on your supposedly reputable OEM.
Public square pillory is the only redress and a good white list for trusted CAs is necessary.
Click to expand...
I agree most of us are builders but how many of us build laptops? My bad, I should been more clear in my post. :D
 
bexwhitt

bexwhitt

Posts: 526   +217
Buy wipe and clean install, getting hold of an ISO of windows is not hard, booting a DVD on a UEFI bios can be tricky though depending on the implementation.

Microsoft would not dare put this sort of stuff into vanilla windows as they would get screwed by lawsuits also it's bad business
 
S

Scshadow

Posts: 636   +285
bexwhitt said:
Buy wipe and clean install, getting hold of an ISO of windows is not hard, booting a DVD on a UEFI bios can be tricky though depending on the implementation.
Click to expand...
Why waste the DVD? I create a USB stick with rufus. Format GPT for UEFI bios and I believe anything windows 8 and newer should boot without disabling secure boot. I'm not familiar with how they are signed but I haven't needed to disable secure boot in awhile. The original iso stays in my collection on my external and the USB key gets reused for my next project.
 
Last edited:
You must log in or register to reply here.

Similar threads

Bob O'Donnell
The time for pragmatism in tech is now
Replies
6
Views
1K
Markoni35
M
midian182
HP's Labor Day Sale is live: great deals on laptops, monitors, printers, and more
Replies
0
Views
315
midian182
midian182
Matthew DeCarlo
Weekend tech reading: 2016 hardware in review, 2017 tech company deathwatch, can you VR on a laptop?
Replies
0
Views
738

Latest posts