UPDATED: No one likes crapware--the adware and trial software that PC and smartphone vendors put on their devices. Until recently, though we rarely got actual malware installed on new computers. Now, thanks to Lenovo and Superfish Visual Discovery adware, we didn't merely get injected ads in our search engine results, we also had our computer doors opened to man-in-the-middle Secure-Socket Layer/Transport Layer Security (SSL/TLS) attacks.
Users always disliked Superfish. As early as September 2014, Lenovo buyers were complaining about Superfish's fishy search results. Lenovo, however, didn't admit to installing Superfish, and its problems, until January 2015. Then, Mark Hopkins, a Lenovo social media program manager, admitted that Superfish had "some issues (browser pop up behavior for example)," so Lenovo temporarily removed Superfish from their systems.
This hole was discovered on January 21 by a Lenovo user. Lenovo, however, while no longer installing it on new systems, didn't alert users of the potential danger. This hole can be used against you no matter which Web browser you're using.
Then, the problem with Lenovo consumer laptops running Windows 8.1 sold between September 2014 and January 2015, was shown to be even worse than expected. Google security engineer, Chris Palmer, showed on Twitter that Superfish was intercepting SSL/TLS connections and injecting its own self-signed certificates for all sites on his Yoga 2 laptop. This included such sites as the one for Bank of America.
On February 19th, the problem went from merely terrible security practice and a potential problem to being a real security hole. Robert Graham, a security hacker, extracted the password that Superfish uses for its CA and published it. This means that, as Graham put it, "I can intercept the encrypted communications of SuperFish's victims (people with Lenovo laptops) while hanging out near them at a café wifi hotspot."
So, since if you're in a coffee shop right now using your new Lenovo to look at a secured Web site open in another tab, you could be having your password stolen at this moment, here's how to zap Superfish.
First, you need to get rid of the program. To do that, first take the following steps:
I don't buy it. If that's the case then Palmer never should have been misdirected while browsing with his Lenovo laptop on February 18th.
This issue aside, the bad certificate will still be on your Windows system. To get rid of it, run the Microsoft Management Console, Mmc.exe (you need an administrator's credentials to do this), and do the following:
Go to File -> Add/Remove Snap-in
Pick Certificates, click Add
Pick Computer Account, click Next
Pick Local Computer, click Finish
Look under Trusted Root Certification Authorities -> Certificates
It may also be possible that if you're using Firefox or Chrome there may be a cached copy of the bad certificate. To check on this, with Firefox enter:
on the address bar. On the menu that comes up, choose Certificates and then View Certificates. Once there, look for Superfish in the list of Authorities. Once you find it, delete it.
On Chrome, go to Settings/Advanced Settings/HTTPS/SSL/Manage Certificates. In the Certification Manager, go to Authorities and look for Superfish. If you find it, delete it. If the delete button is not active, choose edit instead and uncheck all the "Trust this certification" radio buttons.