Computer manufacturer Lenovo has come under fire for shipping adware-laden laptops to consumers. Worse yet, data security experts warn that the pre-installed adware, called Superfish, leaves users vulnerable to man-in-the-middle (MitM) attacks that break HTTPS security.
Late Wednesday night, The Next Web published an article on the news, which was initially pointed out by customers in a Lenovo community forum last September. In January, a Lenovo admin tried to calm user concerns by posting that the Superfish Visual Discovery browser add-on had been “temporarily removed” from consumer systems, and that the company had requested that Superfish push an auto-update for consumers who already received computers installed with the software.
According to technology experts at the Electronic Frontier Foundation (EFF), users should move quickly to rid their systems of the program.
While Superfish is detected as adware by many firms, EFF explained in a Thursday blog post that users have much more to worry about than unwanted advertisements appearing on their screens while they browse the web. Superfish uses a self-signed root certificate to inject ads in secure HTTPS pages, meaning the software could allow an attacker to intercept encrypted SSL connections, and ultimately eavesdrop and steal data during any number of online activities, including checking webmail or signing into online banking applications, EFF said.
In a Thursday interview with SCMagazine.com, Jeremy Gillula, a staff technologist at EFF, further explained the security dilemma introduced by Superfish.
“The issue is that they are installing the Superfish certificate as if it was from a certificate authority," Gillula said. “Normally the CA would have signed it,” he continued, adding later that “Anyone could pretend to be Superfish,” if they have a copy of the Superfish MitM private key.
On Thursday, Robert Graham, CEO of Errata Security, revealed on his blog that he was able to extract the Superfish certificate via reverse engineering and crack the password encrypting it. In an earlier post published Thursday, Graham provided a breakdown of the security issue.