The March 2015 Portal just came out. It’s all about Superfish, adware preinstalled on certain Lenovo laptops, supposedly to enhance user choices and options while shopping. But the software breaks the basic protections embedded in TLS and the digital certificate system that are vital to online commerce.
Superfish, to paraphrase our Vice President Jamii Corley, is like a salesman so pushy that he breaks all the locks on your house in his eagerness to enter and leaves them broken so that anybody else, salesman or impersonator, can get in. Another way of looking at it is that Superfish forged the seals on the documents that make sure the party you’re talking to is the one intended, rendering the whole system worthless. Either way, it smells.
It’s such a dangerous threat that the Department of Homeland Security has recommended it be removed ASAP. However, it turns out it’s not that easy. Lenovo claims to have stopped installing it on their computers, but some are still being shipped. And while Lenovo has published removal instructions, it turns out that their method leaves the application and libraries intact.
Fortunately, there are other options. First of all, there’s a simple online test to see if your brand-new laptop is affected. And here’s Lenovo’s list of models that “may be” infected.
It may prove safer, if more complicated, to remove it by hand. Some commercial software antivirus programs offer removal tools available for those less technically oriented. Those, however, appear to change daily and users are advised to check out the tool before investing time and money.
Also, Mozilla has scrubbed it from its popular Firefox browsers with a hotfix patch, and Microsoft has added it to a list of things to be removed by its automatic Malicious Software Removal Tool, too.
However, it turns out that there is more to the story. Lenovo claims it knew the software was flawed, but trusted Superfish to fix it instead of dropping them. Superfish has not apologized however, but pointed fingers at software provider, Komodia, which sold them the “SSL hijack” technology. The blame will doubtless continue, although lawsuits may eventually straighten it all out.
Worse, the fears of experts that other, even more malicious software uses the same techniques out in the wild. So the cat is out of the bag. The debacle may lead to much-needed changes in the TLS certificate scheme, but one thing is sure: this kind of problem is not likely to go away soon.