Earlier today, TheNextWeb reported to have found evidence that Lenovo had been preinstalling adware software from Superfish on brand new computers. Complaints on the customer forums point to adware that injects third-party advertisements onto Google searches and websites without the user’s permission.
Not long after the news spread wide, Lenovo contacted TechCrunch to confirm that the software has been disabled server-side since January and the company has stopped pre-installing it on new devices.
Update: Got Superfish? Here’s how to get rid of it.
In January, Lenovo did admit that Superfish was being used, but called it a Visual Discover browser program intended to “help users find and discover products visually.” The company stated that, due to numerous customer complaints, the software would be temporarily disabled until Superfish could address an issue with pop up browser behavior.
After TheNextWeb’s report came out, the company also posted an article in the forums explaining how to remove Superfish from your computer. The article noted that the adware was installed on “some consumer notebook products” between October and December, but due to customer complaints, has been rendered inactive and Lenovo stopped preloading the software in January and will not preload it in the future.
Security news blogger Marc Rogers wrote a scathing piece on Superfish’s process, claiming that the adware uses a man-in-the-middle attack to break secure connections in order to inject advertisements. He also accuses Superfish of showing users fake SSL certificates (with a picture for proof, see above) instead of a website’s legitimate one so it can install third-party advertisements directly to a site.
Lenovo, however, says the company has “thoroughly investigate the technology and do not find evidence to substantiate security concerns.”
As much as I want to believe that Lenovo has done its due diligence to protect its customers, I have trouble believing the above statement for a couple of reasons.
The first being that Lenovo claims the adware was installed on computers between October and January. However, a forum post dated Sept. 21 shows screenshots of Superfish running on a Lenovo computer.
Additionally, this issue has been known since Sept. 2014, but the first response I could find from the company was the Jan. 23 post, when a forum administrator noted the existence of Superfish and said that the software had been removed from consumer systems.
Even though customers complained for month before, and continued to complain about the adware for the next month, I never found any official announcement from Lenovo until after TheNextWeb made it public.
It just makes it hard to trust what Lenovo is stating. It is like hearing a witness testimony and catching the person in a lie. From that moment on, everything the witness says is under suspicion.
I confirmed my girlfriend’s laptop has the Superfish software and certificate. The software can be removed but the certificate cannot be removed in Internet Explorer (what she likes to use). I have told her not to do her banking on this machine and not to use it at all outside of the house until this issue is addressed. I am hoping a Windows 10 upgrade will either take care of this or allow me to do so.
Just found the instructions on how to remove the certificate. Guess what I am doing as soon as I get home. I am in the market for a traditional desktop for my main machine at home. Lonovo will definitely NOT be on the list of prospects.
there is only ONE WAY to punish misbehaving companies, specially it ones. cut down their revenues drastically!!!! this means do NOT buy their products any more.
The forum link was fascinating reading. Loved how user “iknorr” stuck to his guns early on (9/21/14) as moderator and fanboys tried to dismiss his concerns. Suggestions to wipe the HD and reinstall, missed the point of the post completely.
The discussions essentially ended that same day after just a few messages and picked up again 2 months later (11/23/14) and dies a couple of days soon thereafter. It picks up again in a month’s time (12/27/14) with a couple of more Lenovo apologists. Now some angrier posts at the start of January but continued push back from community members until REP “Mark_Lenovo” issues statement on 1/23/15:
“we have temporarily removed Superfish from our consumer systems until
such time as Superfish is able to provide a software build that
addresses these issues. As for units already in market, we have
requested that Superfish auto-update a fix that addresses these issues.” (He goes on about how innocuous Superfish is). So… Lenovo still didn’t get it.
On 2/18/15, The Post ‘lights up’. Some great quotes follow:
‘ryanhell_sea’: “Let me make this clear: NO PROGRAM; of ANY calibre, used for ANY device,
should ever (EVER!) interface between my keyboard and a HTTPS site.”
‘cybergibbons’: “…also need to warn people that they have been put at risk of data theft and their private information may have been leaked.”
‘001’: unable to retrieve quote because… profanity.
From the site [Admin Edit; Profanity removed; No posts, forum IDs or email addresses shall contain profanity (implied or otherwise)]
‘ryanhell_sea’: “would you install a hidden spy cam above the shower in a new home you
built, to detect when someone left the room, so the lights turrned off?”
davidhbrown: “Stupid, stupid, stupid. Installing a wildcard root certificate from an adware company?”
‘BigJobs’: “To do this without explicitly telling the user what this means is nothing short of criminal malware.”
Stopping at page 6 (Lenovo dug themselves a pretty deep hole). I’m just shocked.
Wow, totally changes my opinion of Lenovo.
Exactly. Now, I’ll never buy anything from them ever. This is totally unacceptable.
A very unfortunate discovey indeed… as I’m actually considering several Lenovo rigs to move on to. Maybe just pull the trigger, wipe and low lvl format the main storage and clean install the OS from scratch.
Why? They should be punished for what they are doing. Take your money elsewhere!
Exactly. The only way companies will get the message is if people return already purchased products to the store and refrain from buying new ones.
But if they’ve done the right thing and remove the offending software, how is continuing to punish them for their previous transgression going to help encourage good behavior in future?
Why did they remove it? Exactly! Because somebody found out and not because they had a bad conscience.
You missed the point. I agree, they did it because of the adverse publicity, not because of a bad conscience. But continuing to punish a company once they correct their bad behavior is simply perverse.
For example, you decide to boycott a company over, say, using sweatshops to make their products, and they decide to stop using those sweatshops as a result. The boycott succeeded in correcting their bad behavior, and would normally be called off.
But what if everyone said, no, we’re continuing to boycott that company? What would be the goal of that boycott? The only possible outcome would be for the company to say, well, screw it, if we can’t convince you start buying our stuff again by mending our way, then why should we bother? We were making a nice profit from those sweatshop products anyway.
Any parent knows that rewarding good behavior is at least as important as punishing bad if you want your kids to keep behaving well.
It does send a message to the rest of the industry. If you immediately forgive them and become a customer again, that tells other companies they can do what they want, and if they get caught, they can apologize and all will be forgiven. If the time between being proven wrong (I say proven because Lenovo denied it for so long) and making a correction is small enough, the loss of sales would be zero. If the boycott continues to sting for an extended period of time, it sends the message that if you mess with your customers, the punishment will not be so gentle. With little threat of punishment comes little incentive not to do wrong. If one company gets away with using sweatshops, and therefore making lots of money, for 10 years before being caught and then just stops the practice and sales are never affected, other businesses are going to want to follow the same practice for as long as they can as well. To use your parenting analogy, if one child does wrong but also immediately expresses regret and promises to not do it again, and there is no punishment, what message would that send to the child, and other siblings in the family? Maybe we should empty our prisons of all criminals that confess to doing wrong? I agree with lesser punishments for wrongdoers who change their ways, but to drop the punishment all together sends the wrong message. Just my opinion.
There is a lot of room between “immediately forgive” and “continue to punish.” Yes, it would be naive to assume that all is sweetness and light, but if you continue to punish every computer manufacturer for every transgression they’re caught in, you would very rapidly run out of options. If the offense is part of a pattern, then the problem still exists, and sanctions continue to be warranted.
“But continuing to punish a company once they correct their bad behavior is simply perverse.”
So, from your comment, I am guessing that when the allied forces defeated the nazis, had Hitler confessed to doing wrong and promised not to do it again, you would have let him walk away a free man? I mean, what is the point of punishing someone who has corrected their bad behavior. Admittedly, a bit of an extreme example, but I think it makes my point well enough.
Lol. Your analogy is just sooo bad. You are talking about punishing Germany as a whole country for what Hitler did. Lenovo and every other PC makers out there sign deals with these ad company to preinstall crapware. Lenovo screw up by not vetting this one but you are making it sound like the CEO of the company personally decided to have these install.
Godwin’s Law confirmed in rapid time.
I had never heard of Godwin’s Law, but I confess Hitler analogies are oh so lame. Maybe confessing it’s a bit extreme helps a little? Anyways, I stand by my argument. Admitting one is wrong does not negate the need for punishment, simple as that.
When you don’t have a valid argument, try to change the subject, confirmed in rapid time.
“But continuing to punish a company once they correct their bad behavior is simply perverse.”
So far Lenovo hasn’t received any significant punishment for their very serious offense against consumers. Are you arguing that because they stopped after getting caught red handed, there should be no meaningful consequences for their bad action? A lot of criminals would love a justice system that worked that way.
“Any parent knows that rewarding good behavior is at least as important
as punishing bad if you want your kids to keep behaving well.”
Lenovo knew what they were doing when their management approved including that malware. They aren’t innocent children who didn’t know any better.
If Lenovo doesn”t suffer in a meaningful way, it is only a matter of time until they try to violate customer trust again in the name of greed. They need to know there are red lines a company cannot cross, because if they do their survival is very much at risk.
Who knows what else Lenovo is doing. I’ll refrain from buying any Lenovo products for a few years to make sure they really aren’t intentionally risking users’ security anymore.
Actually, not even “because somebody found out”. If that were the case they would have removed the software months ago. But they didn’t, they denied it and tried to discredit their accuser. To me, they deserve punishment for 2 wrongdoings; installing the software and then repeatedly lying to their customers about it for as long as possible. I like Lenovo’s products that I have used, and will give them a chance again, but not for at least several months. Just my opinion.
I never ruled an outright boycott out. Looking at these fine newer Dell or Asus kits as well.