Lenovo's Superfish security snafu blows up in its face

The preloaded Superfish adware does more than hijack website ads in a browser. It also exposes Lenovo owners to a simple but dangerous hack that could spell disaster.

Seth Rosenblatt Former Senior Writer / News
Senior writer Seth Rosenblatt covered Google and security for CNET News, with occasional forays into tech and pop culture. Formerly a CNET Reviews senior editor for software, he has written about nearly every category of software and app available.
Seth Rosenblatt
4 min read
Superfish code hides in hard-to-reach places on your new Lenovo laptop, making it difficult to remove. Screenshot by Robert Graham/Errata Security

Removing software that comes with your brand-new Windows computer can be frustrating, but recently discovered software on new Lenovo laptops -- the top-selling laptop brand in 2014 -- can put your entire digital life at risk.

The preloaded software, called Superfish, alters your search results to show you different ads than you would otherwise see. But it also tampers with your computer's security so that attackers can snoop on your browser traffic -- no matter which browser you're using.

"Attackers are able to see all the communication that's supposed to be confidential -- banking transactions, passwords, emails, instant messages," said Timo Hirvonen, a senior researcher at security software maker F-Secure. That kind of threat, known as a man-in-the-middle attack because the hacker can spy on the users' Internet traffic and infiltrate their computer, poses a serious risk to consumers, he said.

Lenovo is scrambling to fix the problem. "We messed up badly," said Peter Hortensius, Lenovo's chief technology officer. He claims Lenovo was unaware Superfish put consumer's Internet traffic up for grabs. "The intent was to supplement the shopping experience."

On Friday afternoon, the PC maker said it was working with McAfee and Microsoft to have Superfish "quarantined or removed." Lenovo released a Superfish removal tool that it promised would eliminate all traces of the software from Lenovo computers. Also on Friday, the US Department of Homeland Security warned that the Superfish software introduces a "critical vulnerability," and it issued its own instructions for removing the spyware from Lenovo computers.

Superfish said Friday that it is working with Microsoft and Lenovo on a fix, and minimized concerns by the government and security researchers.

"The Superfish code does not present a security risk. In no way does Superfish store personal data or share such data with anyone," Superfish said in an emailed statement. "Unfortunately, in this situation a vulnerability was introduced unintentionally by a third party. Both Lenovo and Superfish did extensive testing of the solution but this issue wasn't identified before some

shipped. Fortunately, our partnership with Lenovo was limited in scale."

A spokesman for Microsoft, which makes the Windows operating system that powers Lenovo's laptops, at first referred to Lenovo's own security advisory on Superfish. On Friday he added that Microsoft has changed its default Windows security software to detect and remove the Superfish software.

At issue is the potential impact of preinstalled spyware making consumers and businesses vulnerable to hackers without their knowledge. Superfish's technique for spying on otherwise secure communications from your computer could herald a new and dangerous trend for preloaded software. And by exposing consumer Internet traffic to the kind of attack Hirvonen describes, user trust is on the chopping block.

Why did this happen? Part of the reason is that since the 1990s, consumers have become accustomed to both preloaded software and apps showing ads without permission. But it's practically unheard of for that software to expose laptop owners to this kind of attack.

"Consumers trust that their laptops won't come with a vulnerability like this," said Chris Wysopal, co-founder of security analysis company Veracode. And it's not just consumers at risk from insecure browsers, but businesses, too.

Another reason Superfish is unusually dangerous is that it's not an app like Adobe Photoshop or Microsoft Word, but rather code hidden from everyday users.

"You know it's not helpful software because helpful software is easy to install, and find and uninstall," said Galen Ward, the CEO of Estately, a startup focused on home buying and selling. He removed Superfish from an employee's Lenovo Flex 2 laptop in January, but following standard protocols of searching the laptop for Superfish files didn't work, he said.

Lenovo now has labeled the Superfish threat on its laptops as "high," its most severe rating. Nevertheless, the immediate impact on consumers could be minimal if they take steps to clean their computers. If you are worried your computer has Superfish on it, CNET has a Superfish removal guide.

Superfish makes two changes to the way computers surf the Internet. It alters search results, including those from Google, so when a user moves the mouse over a product, it shows additional information such as similar listings at lower prices. But Superfish also cripples a Web browser's ability to communicate securely.

Lenovo's Hortensius said the company is not aware of any consumers whose data was compromised in an attack because of the Superfish software. However, an investigation into Superfish by security researcher Robert Graham has shown that compromising a Lenovo laptop's security via Superfish is more than merely theoretical.

Lenovo declined to say how many people own laptops infected with the software, but the company sold 16 million Windows computers in the fourth quarter of 2014, IDC said. It was installed on more than 11 types of Lenovo laptops sold to the public between September 2014 and January 2015, including the popular Yoga and Flex models. Lenovo has published a full list of affected computers.

Update, Friday, February 20 at 10:30 a.m. PT: Adds information on Microsoft's decision to detect and remove Superfish from Lenovo laptops. Update, Friday at 12:34 p.m. PT: Adds warning from the Department of Homeland Security. Update, Friday at 3 p.m. PT: Adds Superfish statement. Update, Friday at 4:47 p.m. PT: Adds updated statement and information on Superfish removal tool from Lenovo.

Watch this: The security setting that the best hacker can't crack