How Companies Are Responding To Lenovo's Superfish Adware

How Companies Are Responding To Lenovo's Superfish Adware
Lenovo and other organizations are taking steps to mitigate the risk posed by Superfish. Superfish’s developers? Not so much.

Lenovo is working to remove a computer security hole represented by Superfish, a bit of pre-installed adware that can do much worse than just serve pop-ups.

Superfish compromises the certificates used to secure web traffic by writing its own in place of legitimate ones. Superfish uses it to serve ads, but by replacing that certificate, it opens certain Lenovo computers to what’s known as a man-in-the-middle attack.

Web security experts justifiably freaked out when the news broke this week. With Superfish, any web traffic sent or received on affected machines could be intercepted or copied.

And the encryption key Superfish uses is apparently the same for every copy of the software. Anyone who compromises one Lenovo computer this way can compromise them all.

By Friday, Lenovo’s CTO had admitted his company’s misstep in exposing users to such attacks. “Going forward, we feel quite strongly that we made a significant mistake here.”

The company issued an official apology and published an automatic tool for removing Superfish from affected computers.

Microsoft updated its Defender antivirus program to hunt down and eliminate Superfish, as well as the root SSL certificates that caused the vulnerability in the first place. (Video via CNET)

Even the U.S. Government has issued an alert to affected Lenovo users, recommending they uninstall the software and its certificates.

This is a swift and fairly comprehensive response, especially compared to earlier security bugs such as Heartbleed.

That’s likely thanks to Superfish’s narrow, if deep, scope. Where Heartbleed put any computer system with sufficiently outdated SSL security protocols at risk, the Superfish adware only compromises certain computer models from a single manufacturer.

The one notable exception to the rapid response is Superfish’s developer, which is sticking to its guns. Ars Technica got an email from the company’s CEO:

“The Superfish software does not present a security risk. In no way does Superfish store personal data or share such data with anyone.”

Personal data was never the issue, a point a number of outlets are criticizing Superfish for maintaining. The company seems to be ignoring the risk it introduces into web browsing, with PCWorld calling the company "oblivious" and Techdirt using language we won't repeat here since it would have to be censored anyway.

Lenovo, meanwhile, says it has stopped preloading Superfish on its computers as of January.

This video includes images from Edward Boatman / CC BY 3.0.