X
Business

Lenovo's Superfish blunder makes it harder for you to love Windows

So what can Microsoft do to make us trust PCs again?
Written by Mary Branscombe, Contributor

Microsoft wants to make customers love Windows, CEO Satya Nadella said at the Windows 10 event in January.

But the company wants to do that without changing the fact that you don't buy Windows from Microsoft - you buy it as part of a PC that Microsoft has little control over.

By loading the Superfish software that intercepts secure web traffic (to insert ads, but using a poorly-encrypted root certificate that hackers can also target, meaning you no longer know what to trust), Lenovo has shown quite how much of a problem that can be.

PC makers have every incentive to load that PC down with extra software, because they get paid a bounty for all of it. And they're loathe to spend money making premium PCs when cheap PCs are what sell the most.

Superfish is more than inconvenient; it's downright dangerous. The certificate it uses to intercept your browsing has been thoroughly compromised and can be used for signing software your PC would trust, as well as telling you that your online banking site is secure when it's intercepting your traffic- just to give attackers a couple of ideas. It also stops smartcards from working. Even worse, Lenovo's initial instructions for removing it would leave vulnerable certificate on your PC.

And this isn't the first time OEM software has caused problems. One notebook I looked at a few years ago had an amazing 79 running processes when you started Windows (not including the processes for Windows itself) all of them pre-installed software. One of them was a cloud storage service that hooked every single file write and redirected it via the network stack, making saving a file very like swimming through treacle.

There have been other incidents too, like Sony putting software on audio CDs that installed rootkits in Windows to stop you making copies of them (which couldn't be uninstalled, slowed down your system and added security holes that malware quickly took advantage of).

Poor specs and poor judgement about software by the OEMs make it hard to love Windows, no matter how hard Microsoft works on the OS. At the January event, I asked if Microsoft had the will to make hard decisions about this to protect users and Terry Myerson returned a very diplomatic answer.

"I think we've had increasingly great partnership with OEMs; they've been partnering with us and moving to Windows as service. I think we all share the same aspiration to have incredibly delighted user with products. We're all on the same page with our shared goal," he told me.

That sounds a little kind when PC makers are so willing to compromise their user experience (even if you believe their claim that they're trying to give you more features on your PC, which is a strange way to think about putting more ads onto the web pages you see.) But you can understand the Windows team being diplomatic about this, because they're in a tricky position.

Microsoft doesn't have a lot of power to change what OEMs do, beyond selling PCs in the Microsoft Store that have the Signature edition of Windows, which doesn't include the foistware and crapware of the same PCs bought direct from the manufacturers.

Microsoft tests all the mainstream PCs that come onto the market and it could say to Lenovo that something is a bad idea. But it can't force a company not to do it. It probably can't even change the terms of the Windows OEM licence to stop OEMs adding extra software; not only would it be very hard to define and enforce, but it would push OEMs from Windows to Android and Chrome. It might even earn Microsoft another anti-trust investigation.

We know Microsoft is looking into the situation. But what can it do? Microsoft pushing out a security update to mark the Superfish certificate as untrusted would protect users who might otherwise get compromised by attackers. But Microsoft pushing out a security update to block third party software isn't going to be popular with software companies (or, indeed, with people who don't trust Microsoft itself).

More fundamentally, trying to take tighter control of what the OEMs can do with Windows would change the entire basis of the Microsoft business model for PCs and Windows.

Windows hasn't been the tail that wags the Microsoft dog for a long time; it's just one of the important businesses at Microsoft. But without the PC makers, where would the Office business be, for example?

It's a clear dilemma; Microsoft needs the PC makers as well as the Windows users and it has to do a tricky balancing act between them. This is the tension that has brought us $99 tablets and $200 laptops, but it's also brought us unreliable PCs that run slower and have shorter battery life than they need to, poor user experiences and repeated security problems.

When Microsoft tried to find a way around the problem with Windows RT, it ran into clear resistance from the OEMs. OEMs could pre-install apps on RT, but what those apps could do was limited; they certainly couldn't change your PC experience, redirect your traffic, sell you anti-virus software or add security holes. And users could uninstall them with a simple press of the finger.

Leave aside the question of whether a version of Windows that ran Office - but not your other desktop applications, because that means viruses as we know them can't run either - was confusing or just what a lot of people need. With a low price tag and low profit margins, competition from Microsoft and no chance to cream off bigger profits by bundling anti-virus trials, the OEMs had far more to lose by supporting RT than they would gain by protecting users.

When Lenovo installs something like Superfish, and then says intercepting your secure web traffic with a root certificate doesn't have any security implications, it loses user trust.

The best way to protect yourself is to buy your PC directly from Microsoft and get Windows without the unwanted extras, but outside the US that means buying online instead of getting to try the keyboard and check out the screen first. But are enough people going to do that to solve the problem Microsoft has; how to keep the PC makers on board and still make users love Windows?

Further reading

Editorial standards