superfish
Latest
Lenovo will pay a $3.5 million fine for preinstalling adware on certain laptops
Lenovo came under fire a few years ago for pre-installing adware called VisualDiscovery (developed by Superfish) onto new machines. Now that the legal dust has settled, the laptop maker has agreed to pay $3.5 million in fines to a 32-state coalition "to resolve their concerns" related to the nefarious bloatware app. In 2015, the worry was that the software performed a man-in-the-middle attack on supposedly secure connections and could be used to spy on encrypted communications. The company issued a tool for removing the software at the time.
Lenovo strips some of the unwanted software from its PCs
Lenovo said it was rethinking its approach to pre-loaded software on PCs in the wake of the Superfish security fiasco, and it's now clear that the computer maker wasn't kidding around. It's promising that its home PC software bundles going forward will be limited to Windows, in-house apps and security software. The only exceptions will occur in certain countries, where some third-party apps are "customarily expected." That IdeaPad or Yoga won't be truly bloatware-free (that would limit you to Windows alone), but a lot of the annoying and potentially dangerous cruft will be gone. Just be prepared to wait a while before you see leaner, cleaner Lenovo computers. The system builder is starting to tidy things up right away, but its effort won't be in full swing until Windows 10 arrives.
Lenovo wants cleaner software bundles to avoid security disasters
Lenovo was quick to stop preloading Superfish and clean up its immediate PC security problem, but what about preventing problems going forward? Well, you can relax a little -- the company is thinking about the long term. In an open letter, technical chief Peter Hortensius reveals that Lenovo is investigating a "wide range of options" to avoid software that poses a threat to your data. Among its choices are preloading a "cleaner" software bundle (definitely our pick) and consulting with both security experts and regular users to determine what programs it should use. The computer builder doesn't have a firm plan of action yet, but it's promising one by week's end -- while you probably won't see truly bloat-free Lenovo PCs, your next IdeaPad or Yoga should have a bit less cruft.
How could Lenovo miss its Superfish security hole?
Until mid-day yesterday Lenovo thought the biggest problem with Superfish VisualDiscovery was the annoying ads it caused to pop up on customers' laptops. SuperFish was supposed to analyze images on the web and "help" consumers find similar products, but the information security world was learning that it (apparently unintentionally) does quite a bit more. Facebook engineer Mike Shaver tweeted Wednesday night about how the preloaded adware performs a man-in-the-middle (MITM) attack on supposedly secure connections, and by Thursday morning security researcher Rob Graham showed how it could be used to spy on the encrypted communications of anyone running the software. At that point, Levono CTO Peter Hortensius still referred to resulting security problems as "thoretical" but moves today from Microsoft and the US government -- and his comments to us -- show that they've realized the threat is very real. Update: Lenovo has just released a Superfish removal tool. In an accompanying statement (included after the break), the company says it's also working with McAfee so that virus scanners will remove the software and its certificate.
Lenovo will stop preloading Superfish adware on PCs
Lenovo found itself in a bit of hot water when some customers started noticing weird sponsored links in the search results on their brand-new PCs. The culprit it turns out was a little piece of adware called Superfish the company was shipping on laptops. The company listened to customer complaints and turned off the server-side portion of the app in January. It also stopped preinstalling Superfish on new machines around the same time. While Lenovo said originally that it had "temporarily removed" the software from new machines while its developers worked on an update to address concerns, it now says that it will not preload the software ever again.
New Lenovo PCs shipped with factory-installed adware
Buy a new Lenovo computer recently? Well, it looks like it could be infected with some factory-installed adware. Users on the official Lenovo forums started noticing that search results were being injected with sponsored links (like what happens when a machine is infected with typical adware or spyware) as far back as last September, and some even report that sites including Kelley Blue Book and JetBlue wouldn't render properly at all. This apparently isn't the only problem, however. As Facebook engineer Mike Shaver recently discovered, the program at fault, Superfish, appears to install a man-in-the-middle certificate that allows outside parties to take a peek at secure websites you might be visiting, too. Like your bank's, for example.
