« WIndows 10 is a coming! | Main | Rackspace Exchange Account setup »
Friday
Feb202015

Lenovo and Superfish – when good companies make bad decisions

Word of Lenovo’s use of SuperFish is swirling around the internet and other media, so we thought we should address it. Superfish is an image-based search technology app. Turns out Lenovo pre-installed it on some of its lines of computers along with a security certificate to allow it to place advertisements on secure web pages. If this weren’t bad enough, they set it up so that once someone cracked the certificate’s private key (which, of course, someone already has), the setup could be used by third parties to do nefarious things on the computer.

Superfish is a real company (http://www.home.superfish.com/) and as most Interconnected Technologies clients know, Lenovo ThinkPads are one of our preferred brands of laptops (http://www.lenovo.com/thinkpad). The good news is that the ThinkPad line from Lenovo was not included in this ill-advised little venture, and while it is generally reported that the IdeaPad and a few other personal use lines from Lenovo were compromised by this, the consensus reporting is that only non-ThinkPads shipped in the 4th quarter of 2014 were affected.

If you have any product from Lenovo (or any computer, really) you might want to look a little further into this, or, better yet, have Interconnected Technologies do it for you! We have reviewed our client list and have been in touch with clients we think may be affected by this.

Lenovo released the following statement about this: http://support.lenovo.com/us/en/product_security/superfish

You can visit this site to determine whether or not you have an issue: https://filippo.io/Badfish/

or this one: https://lastpass.com/superfish/

Lenovo released instructions for removing the software and associated certificate here: http://support.lenovo.com/us/en/product_security/superfish_uninstall

Lest anyone think that only PCs and only Lenovo machines are vulnerable to this type of thing, be aware that there are reports of this going back several years across both PCs and Macs (https://discussions.apple.com/thread/3919644?tstart=0). From what we can tell, however, only Lenovo has been dumb enough to do this directly on their own machines right out of the box. Adware and malware are everywhere, and computer users of all types much remain vigilant.

Here are a couple of good references for the Superfish issue:

http://arstechnica.com/security/2015/02/lenovo-pcs-ship-with-man-in-the-middle-adware-that-breaks-https-connections/

and

http://www.forbes.com/sites/thomasbrewster/2015/02/19/superfish-need-to-know/

As always, we stand ready to help Interconnected Technologies clients (current and future!) with issues such as this.

References (6)

References allow you to track sources for this article, as well as articles that were written in response to this article.

Reader Comments

There are no comments for this journal entry. To create a new comment, use the form below.

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
Post:
 
Some HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>