Lenovo works on 'cleaner PC image' following Superfish debacle

Lenovo has once again apologized to customers over Superfish and has promised to restore their faith in the company with a number of rapid fixes and improvements.

In an open letter to consumers published late Monday, Lenovo's chief technology officer Peter Hortensius said the firm was sorry for the problems Superfish adware has caused, and is working with other companies to make customer PCs safe from the software's security problems.

Superfish came preloaded on notebook products shipped between September 2014 and February 2015. The adware, designed to inspect user queries and offer recommendations based on this data, contains more than one security flaw which has worried users. The adware can intercept SSL and TLS website connections, and then uses a third-party library from Komodia to modify the Windows networking stack and install a new root Certificate Authority (CA).

Able to sit in the middle of a connection and intercept data packets, Superfish also has the power to inspect search queries, emails, personal messages and online banking transactions.

According to security researcher Filippo Valsorda, Komodia is "horribly broken" and the third-party library causes Superfish to become a "catastrophic" piece of adware. The security researcher's analysis reveals that Komodia creates a security problem which allows the self-signing of invalid and untrusted certificates, causing miscommunication which leads browsers to accept certificates as valid even if they pose a risk. This, in turn, could allow hijackers to intercept HTTPS connections and conduct MITM attacks.

Hortensius says Lenovo has stopped the preloads and will not include Superfish on any product in the future, and after releasing a manual and automatic removal tool to kill the adware, the Chinese firm also contacted Microsoft, McAfee and Symantec to update their software to automatically disable and remove Superfish adware.

The Lenovo executive goes on to say the company has "communicated as rapidly as possible with customers, partners and industry watchers and influencers," and hopes that "we are better informed and more clear on what is important." Lenovo is now working on a "concrete plan" to address security issues, which will be shared this week with the public. However, Hortensius can currently reveal that Lenovo is working on a range of options to stem the Superfish tide, including:

• Creating a cleaner PC image (the operating system and software that is on your device right out of the box);
• Working directly with users, privacy/security experts and others to create the right preload strategy quickly;
• Soliciting and assessing the opinions of even our harshest critics in evaluating our products going forward.

Hortensius commented:

"While this issue was limited to our consumer notebooks and in no way impacted our ThinkPads; any tablets, desktops or smartphones; or any enterprise server or storage device, we recognize that all Lenovo customers may have an interest in where we are and what is next.

The fact is our reputation touches all of these areas, and all of our customers. Now, we are determined to make this situation better, deliver safer and more secure products and help our industry address -- and prevent --- the kind of vulnerabilities that were exposed in the last week."

In related news, at the time of writing, Komodia.com is under a distributed denial-of-service attack. A notice on the website says:

"Site is offline due to DDOS with the recent media attention. Some people say it's not DDOS but a high volume of visitors, at the logs it showed thousand of connections from repeating IPs."

While a plan to patch not only the Superfish security vulnerability but Lenovo's reputation is a step in the right direction, the damage is already done in relation to legal issues. At least one person has already filed a lawsuit against Lenovo and Superfish for "violating state and federal wiretap laws, trespassing on personal property, and violating California's unfair competition law," according to Ars Technica. In addition, law firm Rosen Law has asked consumers to join a class-action lawsuit against the companies.

Read on: In the world of security

• Anonymous targets ISIS social media, recruitment drives in #OpISIS campaign
• Poor security left Anthem customer records exposed
• Verizon rushes fix for email account open season security flaw
• Sony executive Amy Pascal steps down following cyberattack, email exposure
• Facebook funds GNU Privacy Guard development

Read on: Fixes and Flaws

• Universal XSS flaw in fully patched Microsoft Internet Explorer exposed
• VLC vulnerabilities exposed
• Microsoft slams Google for spilling the beans on Windows 8.1 security flaw
• Microsoft awards HP researchers $125,000 bug bounty