Lenovo admits security issues with Superfish, releases removal tool

After playing a dead bat and attempting to push the perception that Superfish was not a security concern, Lenovo has admitted that it was caught napping on the security implications of preloading a piece of adware that installed its own self-signing man-in-the-middle proxy service that hijacked SSL/TLS connections.

"We did not know about this potential security vulnerability until yesterday," Lenovo said in a statement released on Saturday, Sydney time. "We recognise that this was our miss, and we will do better in the future. Now we are focused on fixing it."

To that end, Lenovo has joined Microsoft in offering a removal tool to fix the Superfish issue.

The Chinese hardware manufacturer said it is working with McAfee and Microsoft to have Superfish quarantined or removed by their tools.

"This action has already started and will automatically fix the vulnerability even for users who are not currently aware of the problem," the company said.

"While this issue in no way impacts our ThinkPads, any tablets, desktops, or smartphones, or any enterprise server or storage device, we recognise that all Lenovo customers need to be informed.

"We apologise for causing these concerns among our users for any reason -- and we are learning from experience and improve what we do and how we do it."

The source code for Lenovo's Superfish removal tool is now available on GitHub, and whereas the fix with Windows Defender does not remove the root certificate from Mozilla Firefox's certificate store, Lenovo's tool claims it does.

"We will continue to take steps to make removal of the software and underlying vulnerable certificates in question easy for customers so they can continue to use our products with the confidence that they expect and deserve," the company said in its statement.

The reversal and admission of the security issues surrounding Superfish by Lenovo come a day after the company dismissed concerns as "theoretical".

"We have thoroughly investigated this technology, and do not find any evidence to substantiate security concerns," Lenovo said in a statement yesterday.

However, a security advisory published by Lenovo rated the incident as highly severe.

Yesterday, Lenovo said that Superfish was shipped on its notebook devices between September and December 2014. In January, as a result of user feedback, the product was disabled by Superfish on its end, and Lenovo stopped preloading the software.

Lenovo has also revealed that significant money did not change hands for it to preload Superfish.