Earlier today, TheNextWeb reported to have found evidence that Lenovo had been preinstalling adware software from Superfish on brand new computers. Complaints on the customer forums point to adware that injects third-party advertisements onto Google searches and websites without the user’s permission.
Not long after the news spread wide, Lenovo contacted TechCrunch to confirm that the software has been disabled server-side since January and the company has stopped pre-installing it on new devices.
Update: Got Superfish? Here’s how to get rid of it.
In January, Lenovo did admit that Superfish was being used, but called it a Visual Discover browser program intended to “help users find and discover products visually.” The company stated that, due to numerous customer complaints, the software would be temporarily disabled until Superfish could address an issue with pop up browser behavior.
After TheNextWeb’s report came out, the company also posted an article in the forums explaining how to remove Superfish from your computer. The article noted that the adware was installed on “some consumer notebook products” between October and December, but due to customer complaints, has been rendered inactive and Lenovo stopped preloading the software in January and will not preload it in the future.
Security news blogger Marc Rogers wrote a scathing piece on Superfish’s process, claiming that the adware uses a man-in-the-middle attack to break secure connections in order to inject advertisements. He also accuses Superfish of showing users fake SSL certificates (with a picture for proof, see above) instead of a website’s legitimate one so it can install third-party advertisements directly to a site.
Lenovo, however, says the company has “thoroughly investigate the technology and do not find evidence to substantiate security concerns.”
As much as I want to believe that Lenovo has done its due diligence to protect its customers, I have trouble believing the above statement for a couple of reasons.
The first being that Lenovo claims the adware was installed on computers between October and January. However, a forum post dated Sept. 21 shows screenshots of Superfish running on a Lenovo computer.
Additionally, this issue has been known since Sept. 2014, but the first response I could find from the company was the Jan. 23 post, when a forum administrator noted the existence of Superfish and said that the software had been removed from consumer systems.
Even though customers complained for month before, and continued to complain about the adware for the next month, I never found any official announcement from Lenovo until after TheNextWeb made it public.
It just makes it hard to trust what Lenovo is stating. It is like hearing a witness testimony and catching the person in a lie. From that moment on, everything the witness says is under suspicion.