Late last week it was announced that some Lenovo consumer laptops contained a pre-installed application called ‘Superfish’. This provides targeted adverts based on web content being viewed in a way that presents a serious security risk.
Lenovo have now released a series of statements, revealing:
- The software was installed on laptops sold between September 2014 and February 2015
- The software was only installed on consumer laptops, not enterprise laptops such as the Thinkpad range. All affected laptop models are listed in the statements
If you use a Lenovo laptop you must remove Superfish. A removal tool has been made available by Lenovo or alternatively Superfish can be detected and removed by Microsoft Forefront and Security Essentials, recommended by CiCS.
Superfish works by intercepting secure internet traffic to collect and analyse sensitive data before presenting ‘shopping tips’. This significantly erodes the chain of trust provided by certificates.
Further analysis has revealed that certain security products use similar techniques to intercept secure traffic. Notably this includes Comodo Privdog and Lavasoft Ad-Aware Web Companion (not the same as the core Ad-Aware program).
If you have installed either of these we strongly recommend you remove them along with their underlying root certificates. Removal tools are being made available on the respective vendors’ websites.
Please feel free to contact us at firstname.lastname@example.org if you’d like further information about this issue.
This post is based on information available on 23 February 2015 but the story is still developing. Updates will be posted to ths blog.