Lenovo claimed it will not include Superfish in its products in the future. However, the question is how dangerous is the adware to consumers? According to specialists, this problem is worse than they initially thought.
Last week, several reports claimed that Lenovo Notebooks have been issued to consumers containing a preloaded security flaw. At the beginning, Lenovo declared that Superfish adware is not a security concern. Now, the Chinese tech giant admitted that the software is able to install its own self-signing MITM (man-in-the-middle) proxy service. These means that Supefish has the potential to hijack TLS and SSL connections, causing a severe security vulnerability.
This Saturday, the tech giant released a statement saying that they “did not know about this potential security vulnerability,” and admitting that they made a mistake. “We recognize that this was our miss, and we will do better in the future. Now we are focused on fixing it,” the statement continued.
With the purpose to eradicate the adware from the firm’s products and security companies, Lenovo has released a removal tool. After some research, Lenovo said that Superfish came preloaded on notebook products, somewhere between September 2014 and February 2015. The company managed to reach out to Superfish and disabled it from all server activity associated with their products. Lenovo also promised not to preload this software on products in the future.
This Friday, the Threat Infrastructure team at Facebook issued an analysis of the adware, saying that Superfish is different thanks to its ability to intercept TLS and SSL website connections. “The new root CA undermines the security of web browsers and operating systems, putting people at greater risk,” Facebook’s team declared. However, another problem is the use of a new root CA, of which the CA is the same across many different PCs. By reusing the same keys and certificate, the Facebook team says that PCs are left vulnerable to MITM attacks on networks like public Wi-Fi.
“Although we are not aware of anyone abusing this certificate in the wild, it’s a real risk and would be hard to detect,” has concluded the Facebook team. Hopefully, Lenovo will solve the issue as fast as possible.