Millions of Lenovo owners are being warned to not use their desktops and laptops for "any kind of secure transaction," amid concerns that the company installed adware on their machines.
Lenovo-branded devices sold between September 2014 and January 2015 through consumer online and retail stores, like Best Buy and Amazon.com, are likely affected by the Superfish adware, which hijacks secure internet traffic.
Enterprise owners, who bought the device through a business channel, are said not to be affected.
Hijacking secure pages
ZDNet's Chris Duckett reported Thursday that Lenovo installed a self-signing root certificate authority that has the capability to intercept and hijack internet traffic flowing over SSL and TLS connections -- often used by online stores, banks, and other apps and services to secure send data.
Lenovo partnered with advertising firm Superfish to install the adware on its consumers' laptops. The software allows advertisements to be displayed on encrypted sites. But Rogers said on his blog that this undermines the security standard, "rendering the last decade or so of work making the web secure completely irrelevant."
The private key was reportedly published earlier Thursday, making it possible for anyone on the same network -- a coffee shop, a home network, or in a corporate environment -- to snoop on web traffic.
Lenovo confirmed in a statement that it had "removed" Superfish as of January 2015. The company said it had issued an update to disable existing machines already sold from activating the adware.
That update is currently in testing by a number of security experts.
Removing the root certificate may be the only option, Rogers said. He warned that the vast majority of users would not know how to remove the certificate. "It's far too complex for the man on the street," he said, suggesting that Microsoft would have to issue a fix to ensure Lenovo devices are not compromised.
It wouldn't be the first time Microsoft has stepped in to fix a third-party company's issue.
Verisign in 2001 issued an erroneous certificate that Microsoft had to revoke. A Microsoft security bulletin warned the certificate issue could have affected "all customers using Microsoft products."
The software giant does have a how-to guide on removing a root certificate, but Rogers said this is "something the ordinary consumer is not equipped to deal with, nor should it be."
"We should be able to trust our hardware manufacturers to have our best interests at heart -- especially in this climate of rising cybercrime," Rogers added.