Lenovo releases tool to remove Superfish vulnerability
MANILA, Philippines – Following the news that Superfish ad placement software was installed on Lenovo PCs and had a potentially dangerous security vulnerability, Lenovo released instructions for removing Superfish from its Notebook products and an automated removal tool for the Superfish software.
Speaking with Re/code on Friday, February 20 (Saturday Manila time), Lenovo CTO Peter Hortensius admitted that the company "messed up" with regard to the Superfish issue.
The Superfish adware was pre-installed on Lenovo PCs between September 2014 and January 2015.
While the company had an engineering review that made sure Superfish didn't store customer information and had a mechanism to let users opt out, it missed the way the software behaved.
Hortensius said of their process, “We should have known going in that that was the case.”
“We just flat-out missed it on this one, and did not appreciate the problem it was going to create," he added.
In a statement, Lenovo also said that while the issue "in no way impacts our ThinkPads; any tablets, desktops or smartphones; or any enterprise server or storage device, we recognize that all Lenovo customers need to be informed."
The company added, "We will continue to take steps to make removal of the soft underlying vulnerable certificates in question easy for customers so they can continue to use our products with the confidence that they expect andware and deserve."
Superfish meant to serve ads anywhere
Superfish CEO Adi Pinhas acknowledged on Saturday that one aspect of the Superfish software – its use of a self-signed certificate authority, or root authority, that jeopardized user security – was meant to allow Superfish to serve its ads on any website.
The Next Web, which indirectly spoke to Pinhas via a communications person through email, said Superfish "intentionally installed the root certificate authority to 'enable a search from any site.'"
This authority, Forbes wrote, allowed it to not only decide the types of encrypted communications it trusted, but also potentially allow hackers – or the company themselves – to spy on PC owners.
Pinhas also dodged a question about whether the Superfish software installs the certificate itself, saying that users had to opt in and that it was "not installed without the users opting in." – Rappler.com