The Stack Archive

Lenovo releases clean-up tool to protect users against Superfish security flaw

Mon 23 Feb 2015

After last week’s uncovering of the Superfish vulnerability, a ‘very embarrassed’ Lenovo has released a removal tool for the adware which invades browsers and injects advertisements into web pages.

The Chinese PC firm’s move to publish the removal tool follows days of attempting to make amends for the ‘mess-up’ after US internet watchdog US-CERT warned that the malware was a “critical” threat to security: “This vulnerability could allow a remote attacker to read all encrypted web browser traffic (HTTPS), successfully impersonate (spoof) any website, or perform other attacks on the affected system.”

In response, Lenovo said late on Friday that it had “stopped preloads beginning in January” and that it was taking “additional actions” to ensure its customers were kept up-to-date with how to respond to the exposed security flaw.

Lenovo has this weekend launched an “automated tool to help users remove the software and certificate” and also made clear that it would be working closely with Microsoft and McAfee to help create and patch and destroy the malware.

A statement from Lenovo read:

We ordered Superfish preloads to stop and had server connections shut down in January based on user complaints about the experience. However, we did not know about this potential security vulnerability until yesterday [20th February]. Now we are focused on fixing it.

Since that time we have moved as swiftly and decisively as we can based on what we now know. While this issue in no way impacts our ThinkPads; any tablets, desktops or smartphones; or any enterprise server or storage device, we recognise that all Lenovo customers need to be informed.

We apologise for causing these concerns among our users – we are learning from this experience and will use it to improve what we do and how we do it in the future.

On Friday Superfish assured users that they need not be concerned about the safety of the code despite warnings given out by US-CERT and other security experts:

“Unfortunately, in this situation a vulnerability was introduced unintentionally by a third party. Both Lenovo and Superfish did extensive testing of the solution but this issue wasn’t identified before some laptops shipped,” said Superfish CEO Adi Pinhas.

“Fortunately, our partnership with Lenovo was limited in scale. We were able to address the issue quickly. We learned about the potential threat yesterday and since then we have been working with Lenovo and Microsoft to create an industry patch to resolve the threat.”


hacking Lenovo news
Send us a correction about this article Send us a news tip