The add-on analyzes images and offers up ads for the same or similar products at a lower price. This, in and of itself, is slightly troublesome. But what really set off alarms was when users discovered how it worked; it installs a "man-in-the-middle" certificate that would allow Superfish and other parties to look at data from secure sites. Pop-up ads are annoying, but leaving your bank info vulnerable to prying eyes is downright dangerous.
Lenovo says that has not found "any evidence to substantiate security concerns." Though, the tweet above, which seems to show a certificate to bankofamerica.com issued by Superfish seems like plenty of cause for concern. Even if the software is safe and secure, Lenovo doesn't seem interested in pissing off its customers. So Superfish won't be making a comeback.
The manufacturer did want to make one thing abundantly clear in a statement given to Engadget:
"Superfish technology is purely based on contextual/image and not behavioral. It does not profile nor monitor user behavior. It does not record user information. It does not know who the user is. Users are not tracked nor re-targeted. Every session is independent."
Make of that what you will. But installing any sort of adware on a machine before it even leaves the factory seems like an obviously bad idea, regardless of whether or not it violates a user's privacy.
Update: Lenovo's CTO Peter Hortensius sat down for an interview with the Wall Street Journal and told the newspaper that the company is building a tool to remove all trace of Superfish from a person's computer.
"We will provide a tool that removes all traces of the app from people's laptops; this goes further than simply uninstalling the app. Once the app-wiping software is finished tonight or tomorrow, we'll issue a press release with information on how to get it."
Update #2: If you weren't sure how open to abuse this vulnerability was, then know this: the browser certificate that Superfish uses to grant access to your secure websites has been hacked. This turns the problem from a cause for concern (see: "The Really Bad Part"), to a real genuine problem. Fortunately, Lenovo has come good on its promise, with full removal instructions here.