Until Superfish fix, Lenovo devices can't be trusted for secure work

Enterprise customers are said not to be affected, but millions of consumers and bring-your-own-device users are likely using compromised machines.
Written by Zack Whittaker, Contributor
Millions of Lenovo machines potentially at risk from Superfish adware
(Image: CNET/CBS Interactive)

Millions of Lenovo owners are being warned to not use their desktops and laptops for "any kind of secure transaction," amid concerns that the company installed adware on their machines.

Lenovo-branded devices sold between September 2014 and January 2015 through consumer online and retail stores, like Best Buy and Amazon.com, are likely affected by the Superfish adware, which hijacks secure internet traffic.

Defcon security chief and security researcher Marc Rogers, who detailed the scope and scale of the adware problem on his blog, told ZDNet that consumers should immediately check to see if their machines are affected.

"If they are affected, they should not use their laptop for any kind of secure transactions until they are able to confirm [the adware] has been removed," he said.

As many as 16 million Lenovo desktops and notebooks shipped in the fourth calendar quarter, according to recent IDC figures and Gartner figures.

Enterprise owners, who bought the device through a business channel, are said not to be affected.

Hijacking secure pages

ZDNet's Chris Duckett reported Thursday that Lenovo installed a self-signing root certificate authority that has the capability to intercept and hijack internet traffic flowing over SSL and TLS connections -- often used by online stores, banks, and other apps and services to secure send data.

Lenovo partnered with advertising firm Superfish to install the adware on its consumers' laptops. The software allows advertisements to be displayed on encrypted sites. But Rogers said on his blog that this undermines the security standard, "rendering the last decade or so of work making the web secure completely irrelevant."

The private key was reportedly published earlier Thursday, making it possible for anyone on the same network -- a coffee shop, a home network, or in a corporate environment -- to snoop on web traffic.

Lenovo confirmed in a statement that it had "removed" Superfish as of January 2015. The company said it had issued an update to disable existing machines already sold from activating the adware.

That update is currently in testing by a number of security experts.

Users who think they might be affected by the Superfish vulnerability can check their desktops and laptops by visiting a recommended checking tool.

Lenovo's trust is shot, Microsoft expected to step in

As Duckett reported, the only confirmed way of completely removing Superfish appears to be reinstalling Windows (from a non-Lenovo image), or moving to another operating system entirely.

Uninstalling the Superfish software may not remove the root certificate authority, according to reports on social media.

Removing the root certificate may be the only option, Rogers said. He warned that the vast majority of users would not know how to remove the certificate. "It's far too complex for the man on the street," he said, suggesting that Microsoft would have to issue a fix to ensure Lenovo devices are not compromised.

It wouldn't be the first time Microsoft has stepped in to fix a third-party company's issue.

Verisign in 2001 issued an erroneous certificate that Microsoft had to revoke. A Microsoft security bulletin warned the certificate issue could have affected "all customers using Microsoft products."

The software giant does have a how-to guide on removing a root certificate, but Rogers said this is "something the ordinary consumer is not equipped to deal with, nor should it be."

"We should be able to trust our hardware manufacturers to have our best interests at heart -- especially in this climate of rising cybercrime," Rogers added.

Editorial standards