For years, when you bought a new PC from the likes of Dell, HP, Lenovo and other Windows PC makers, you tended to get crapware on the computer. These companies make a few dollars by installing this crapware that you, likely, never use. Most of the time, all it tends to do is eat up space on the storage device and, often, can slow your computer down a bit. Now, however, it can also break something called SSL and that’s bad.
The crapware in question is called Superfish and it came pre-loaded on consumer PC’s from Lenovo. Now, before I go on, let me say that Lenovo, a Chinese owned company, makes excellent computers. They made the IBM Thinkpad and desktop computers for years before buying the whole line from IBM. The consumer grade stuff is just as well designed and built and I would have recommended them in a heartbeat.
Sadly, I can’t do that now.
Superfish is a package that injects advertising into web pages. ANY web page, even those that did not have any ads. And, worse, it had to break SSL encryption to do so.
I uses a root certificate that is SHARED. That is, it is packaged with the product and distributed to any computer that gets Superfish. It takes precedence over the SSL certs that are installed. It is called a ‘middle man’ attack and it is bad. What it means is that when you log into a site, say your bank, that is secure and uses SSL, this product negates that and then serves up the ads. In doing so, it opens up your connection to snooping and your computer becomes vulnerable.
Initially, Lenovo said it was a benefit, giving its users a chance to see ‘alternative’ choices in the ads it served. As anger grew, Lenovo’s response changed, several times, and now the company is saying that they will no longer offer up crapware. They have been cagey about this, so time will tell if they mean it or not.
Now, the company that developed Superfish claims that the piece that breaks encryption was developed by another company, Komodio, This is troubling because this company has its hooks in well over a hundred other applications and services, including several anti-virus applications, parental control apps (just stick with the Microsoft supplied solution for this, it is great and works well) and other popular applications.
eWeek has a much better explanation of the problem here.
Sadly, I cannot recommend Lenovo and will even go so far as to say you should probably avoid it for now. While the Superfish crapware can be removed, Lenovo’s response and initial attitude has discredited them and, for me, it will take a long time to rebuild that trust. Sad, really, since the hardware is great.
And, by the way, Microsoft’s Security Essentials has been update to detect and wipe out this mess. It thinks it is a virus.
I’d say it is right.