Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Advertising China Your Rights Online Hardware

Lenovo Allegedly Installing "Superfish" Proxy Adware On New Computers 248

An anonymous reader writes It looks like Lenovo has been installing adware onto new consumer computers from the company that activates when taken out of the box for the first time. The adware, named Superfish, is reportedly installed on a number of Lenovo's consumer laptops out of the box. The software injects third-party ads on Google searches and websites without the user's permission. Another anonymous reader points to this Techspot article, noting that that it doesn't mention the SSL aspect, but this Lenovo Forum Post, with screen caps, is indicating it may be a man-in-the-middle attack to hijack an SSL connection too. It's too early to tell if this is a hoax or not, but there are multiple forum posts about the Superfish bug being installed on new systems. Another good reason to have your own fresh install disk, and to just drop the drivers onto a USB stick. Also at ZDnet.
This discussion has been archived. No new comments can be posted.

Lenovo Allegedly Installing "Superfish" Proxy Adware On New Computers

Comments Filter:
  • by AltGrendel ( 175092 ) <`su.0tixe' `ta' `todhsals-ga'> on Thursday February 19, 2015 @08:52AM (#49086743) Homepage
    ...to wipe the box and install some other OS.
    • s/other //

      FTFY

    • I'll just buy from elsewhere if I need a Windows machine. I have a one strike and you are out policy on this kind of nonsense. I used to buy their machines back when IBM was still making them but they seem to have lost their way.

      • Build your own. Works best for Windows machines and Linux as well

        • by sjbe ( 173966 )

          Build your own. Works best for Windows machines and Linux as well

          I'm not a hobbyist and don't have the time. Any Windows machine I buy will almost certainly be for work and I'm not about to waste a ton of time building a machine. If Lenovo wants to load their machines with spyware then there are plenty of other options out there.

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      Serious Question - So these Lenovo computers most likely come with UEFI. I recently tried wiping a new UEFI Lenovo PC and re installing using a WIN 7 CD, and the key was retrieved using a tool to read the OS. When It came time to "activate" the fresh WIN 7 OS, that key would not be accepted. Lenovo support said they couldn't provide another key, and that only the recovery CD would work. Are there any known workarounds for this?

      • I have the similar problem with HP book that had no drivers at all except a recovery Win7 CD. My attempt to reinstall a Win8.1 from scratch failed due to absence of drivers. Moreover, there ARE good drivers for it but Win8.1 insists on replacement of them with fresh but incompatible drivers. As a result, I gave the book to my Windows-only friend and switched to Lenovo. I don't use Windows, but at least the Windows drivers for Lenovo are downloadable from their site.

    • I ALWAYS format a new laptop, don't need or want their stooped recovery partition, waste of space. Can understand how the other 90% of people on the planet love it, but for me it's a waste of space.
      • by mlts ( 1038732 )

        I'm the same way. The recovery partition is just a chunk from the HDD, so malware can easily seize control of that. Plus, I prefer server operating systems (paid for, of course.) Some laptop makers like Dell can ship a business-line model with a server OS, and since it comes from the OEM, there is a good chance the OS can just activate from the BIOS certificates. I have yet to see a machine shipping with a server OS have any crapware on it, other than maybe some administration tools.

        I wish laptop makers

    • by mlts ( 1038732 )

      Even wiping the box may not work. For example in the case of LoJack for Laptops, there is BIOS support that can get a machine to reload the utility even if the main BIOS is reflashed and all media (hard disks, SSD, etc.) are erased. In the case of this product, it can be a good thing, but this same technology that can protect a laptop can be used to reinstall spyware.

    • Or, just wipe it and install the same OS, but from a generic source.

      Of course I have yet to see a piece of software that I couldn't in some way uninstall or totally disable, even if it meant manually hacking it out of the registry and deleting it's files.

      I've never bought a new, pre-built computer before; can you get them without any OS installed?
  • by invictusvoyd ( 3546069 ) on Thursday February 19, 2015 @08:52AM (#49086745)
    Ad's even after you go through the gentoo stage 3 , compile your custom kernel and build your userspace from source ?
    • If it comes from the disk firmware [reuters.com], even Gentoo can't get rid of it!
      • Disk firmware version is not a standalone program. It's a Windows (and maybe Mac) parasite as all the Equation group. You cannot catch it without using a Windows. If it does not find a host to infect it has exactly 3 ways: 1) Self-destruct, and the problem is solved, 2) Pretend to be nonexistent, and problem is at least nonexistent while you use Gentoo, 3) Crash and be sent to Kaspersky.

        • by suutar ( 1860506 )

          true... but if it were the NIC bios, it could perhaps be OS-neutral, just pretending "yeah, the other end had this in the html that came in, honest". At least for non-https.

    • by Anonymous Coward
      Do that with OpenBSD.
    • Re: (Score:2, Troll)

      by Just Some Guy ( 3352 )
      No, because it would presume you are broke and have more time than money.
    • Heck no. By then, the Internet as we know it will no longer exist, Lenovo will have been out of business for decades, and the IPv22 networks that connect the nanobrains that governments will embed inside our mitochondria, at birth, will no longer understand how to process or route IPv[46] packets.
  • Hardly allegedly (Score:5, Informative)

    by OzPeter ( 195038 ) on Thursday February 19, 2015 @09:07AM (#49086837)

    From the ZDnet link

    The issue has remained latent since Mark Hopkins, a Lenovo social media program manager, confirmed in January that the company was installing the Superfish Visual Discovery software on some of its products in order to serve ads.

    • by TheBogBrushZone ( 975846 ) on Thursday February 19, 2015 @09:25AM (#49086993)
      Not allegedly at all. My new Y50 (3 weeks old) came with Superfish pre-installed, phoney root certificates and all. Luckily I've encountered Superfish before when they were trying to insinuate themselves into every extension they could on the Chrome Web Store so it was easy to spot and obliterate.
    • Re: (Score:2, Informative)

      by Anonymous Coward
    • And here's the kicker:

      Hopkins defended the adware, saying that it “helps users find and discover products visually” and “instantly analyzes images on the web and presents identical and similar product offers that may have lower prices.”

      I mean, damn... How stupid do they think people are, that they can actually present this adware as a positive thing for consumers?

      Even though Hopkins says the company has stopped installing the software on computers, it appears that’s only “temporary” until the company behind the software makes some tweaks to stop pop-ups.

      Aaand... they're just going to tweak it so it's less noticeable. Nice. This software creates a potential man-in-the-middle attack by installing it's own signed certificate on your system so it can show embedded ads even if you have a secure connection. Nasty, nasty stuff from a privacy concern. This could easily become malware if not for the "good grace

      • by mlts ( 1038732 )

        For desktops, I end up doing similar, and building my own (for my personal use.) However, for laptops, it is good to go with a brand's business line (not consumer junk, but business tiers that actually will offer decent CS). Similar if one needs desktops for a company (since for accounting and auditing, it is good to have machines that have similar hardware or one easily trackable model ID.)

        Of course, for personal laptops, there is always Apple. Even if one installs Windows on it (easy to do as it is a U

  • When I needed a new laptop, I heard good things about Lenovo and they had a good deal so I ordered one. It initially said it would ship in 2 weeks. One week later, that ship date turned into 8 weeks. When I called asking why, I was told "we need some parts" (they wouldn't specify what parts). They also said that it *could* ship earlier but they couldn't guarantee when it would ship. When I tried to cancel, I was told I couldn't but that I could submit a form requesting cancellation which, if approved,

    • you didnt order a business-grade laptop, did you?

      I have one and mostly love it. the pci-e blacklist SUCKS (tried installing a new wireless card and it refused. not on the 'ok' list. had to install a hacked bios to allow any pcie card to be installed. HP is the same stupid way, too). and to be honest, with the hacked bios (I didnt hack it) I'm now at risk since I have no good idea what that 3rd party did to create the unblack blacklist, so to speak.

      but if you don't need to hack the bios (buy all your st

    • I ordered a Thinkpad X60 from back when they were still IBM and got the same kind of fluctuating ship date BS (although I didn't respond by cancelling my order)... I guess nothing's changed.

    • Re: (Score:2, Offtopic)

      by hey! ( 33014 )

      I've had bad luck with Toshiba laptops in terms of durability and Linux support. In particular the ACPI DSD tables on Toshibas that I've had detect non-Windows operating systems and *deliberately* disable certain hardware like sound. It's fixable, but a PITA, adding extra steps every time you do a kernel upgrade.

      For years IBM then Lenovo was my choice for build quality, but I guess from here on out I'm sticking with Apple. I'm very pleased with the hardware.

  • Revenge (Score:5, Interesting)

    by Jim Sadler ( 3430529 ) on Thursday February 19, 2015 @09:08AM (#49086857)
    There are some really harsh laws concerning hacking and cracking. If Lenovo knew or caused this breach perhaps they could be prosecuted and actually jailed for this behavior.
    • Re:Revenge (Score:5, Insightful)

      by kelarius ( 947816 ) on Thursday February 19, 2015 @09:16AM (#49086923)
      It's more likely that Lenovo installed this software because they were paid to do so (either directly or through kickbacks to Mike Hopkins or whatever VP) and they simply didn't vet the software to make sure that it wasn't malicious. So while some people in the organization may be guilty of negligence they would never get convicted on anything close to CFAA levels.
    • Re: (Score:3, Insightful)

      by Anonymous Coward
      You seem to believe that laws apply equally to corporations and people. You must not be American.
    • by Jawnn ( 445279 )

      There are some really harsh laws concerning hacking and cracking. If Lenovo knew or caused this breach perhaps they could be prosecuted and actually jailed for this behavior.

      Oh please. Laws are for little people. You know, the ones who aren't corporations. No one is going to jail for "just doing what it takes to 'compete' in a free market". What did you think we meant when we had our Spokesman In Chief tell you that "government is the problem"?

  • by Billly Gates ( 198444 ) on Thursday February 19, 2015 @09:13AM (#49086889) Journal

    What were Lenovo thinking? People pay bills online you know. Easily can steal lots of information

    As much as we bashed RMS here for being a lunatic he has a point with trusting a for profit entity making closed source software.

    • by Dr. Evil ( 3501 ) on Thursday February 19, 2015 @09:26AM (#49087005)

      bankofamerica.com courtesy of Superfish:

      https://i.imgur.com/Ky0Bwih.jpg [imgur.com]

      Not sure about the source of the screenshot, independent confirmation would be good.

      • by QuasiSteve ( 2042606 ) on Thursday February 19, 2015 @09:40AM (#49087125)

        Wouldn't really need one - SuperFish works in such a way that it inserts itself for any site. What would it do otherwise, keep a blacklist of all the possible banking/investment/whatever sites in the world that it should ignore?

        So yes, bankofamerica.com courtesy of SuperFish, but also facebook courtesy of SuperFish and YouTube courtesy of SuperFish and Mom & Pop's corner store courtesy of SuperFish.

        It's a nasty piece of software in that its intent is to serve up ads (and/or collect information, of course), but this sort of thing is also readily available on the market for parents who want to keep tabs on little johnny's browsing habits or bosses who want to keep tabs on their employees. Unless johnny/employee / their browser checks the certificate and notices it's probably not what it's supposed to be despite being perfectly valid, bob's your uncle.

        • by Dr. Evil ( 3501 )

          It didn't occur to me that it actually included the private key for its own root certificate in the local proxy...

          Unbelievably stupid design.

          • How could it MITM with only the public key? It needs to sign each destination HTTPS site with the private key.

            Each install could generate a unique key pair and install a new root cert.

        • Is there a way for sites to detect and block this?

          • Is there a way for sites to detect and block this?

            No. The host is compromised.

            Even if the bank mailed you a copy of their real cert, the compromised host could just update the malware to fetch the real cert and display that when the user tries to view the cert's details.

            Even if the bank handed you a copy of a UNIQUE cert they use for ONLY for you, IN PERSON, and you handed them your own UNIQUE client cert, the compromised host could just watch all the legit shit happen when you log in the first time, then fuck you in the ass with that legit information.

            Ev

  • by brennz ( 715237 ) on Thursday February 19, 2015 @09:30AM (#49087041)

    See http://blog.erratasec.com/2015... [erratasec.com]

    Now all these boxes can be owned by anyone with the key!

  • I just checked on my Lenovo Yoga 2 Pro I bought a few months ago, and it does not have Superfish as a trusted root certificate authority, as indicated in the screenshot in TFA.

  • Nothing new. (Score:5, Informative)

    by nospam007 ( 722110 ) * on Thursday February 19, 2015 @09:46AM (#49087181)

    That's why you run decrapifier as the very first thing. http://www.pcdecrapifier.com/ [pcdecrapifier.com]

    Only then do you run your ninite selection. https://ninite.com/ [ninite.com]

    • lenovo was caught and they are backpeddling. they SAY there is a removal script.

      does it do a complete job? somehow, I have my doubts and that it leaves some stuff behind (like almost all windows 'uninstallers').

      I really wish the US would punish companies (in a truly painful way, such as 10% or more of their GROSS income) when they act in bad faith, on purpose, like this.

      then again, if the US punished bad actors, it would have to constantly punish ITSELF.

      well, maybe that's needed too .....

      as we all know,

      • I wonder how much money they made by selling out and compromising the systems of so many of their customers. If I was to rob someone of just $10, I would face court and hundreds if not thousands in fines. This society truly is set up to only punish poor people and their types of crime.
      • by bmo ( 77928 )

        does it do a complete job? somehow, I have my doubts and that it leaves some stuff behind (like almost all windows 'uninstallers').

        It doesn't

        http://forums.lenovo.com/t5/Le... [lenovo.com]

        Uninstalling Superfish Visual Discovery

        Go to Control Panel > Uninstall a Program
        Select Visual Discovery > Uninstall
        Superfish will be removed from Program Files and Program Data directories, files in user directory will stay intact for the privacy reason. Registry entry and root certificate will remain as well. The Superfish serv

      • as we all know, if a bad actor behaves badly and there is no punishment, what reason does he have to change his bad ways?

        the fact that the US fellates all corporations, as a form of religion, is what allows them to continue the bad behavior. in fact, it encourages it by rewarding 'profit, above all else'.

        it really seems clear to me that we have chosen the wrong 'god' to worship. profit, above all else, WILL be our downfall. it has started already and many of us see it. but our words are not being heard ;(

        It started with a good idea: make it so that a person who makes a mistake running their business can't be sued into personal oblivion. If you remove that major risk factor, it will encourage (or more accurately, not heavily discourage) more people to start their own businesses. Eventually, though, corporations got big enough that they could use this merely to shield themselves from the consequences of any actions they take, so there's no risk at all to doing things that would likely destroy most small busin

  • by fonos ( 847221 ) on Thursday February 19, 2015 @10:19AM (#49087475)

    http://forums.lenovo.com/t5/Le... [lenovo.com]

    "Superfish has completely disabled server side interactions (since January) on all Lenovo products so that the product is no longer active. This disables Superfish for all products in market.
    Lenovo stopped preloading the software in January.
    We will not preload this software in the future."

    However, later in the post they state that the root CA will remain intact. The private key has already been extracted and cracked, so this leaves Lenovo users still open to a very easy MITM attack.

    • by JohnFen ( 1641097 ) on Thursday February 19, 2015 @12:22PM (#49088545)

      Yes, that response was insufficient on a number of points. But what struck me about their statement was this:

      The relationship with Superfish is not financially significant; our goal was to enhance the experience for users.

      Why in the world do companies keep insisting that datamining and delivering ads "enhances the experience for users"? They can't possibly believe that. If they do, then they're hopelessly delusional. If they don't, then they're scumbag liars. Either way, it does nothing but make them look terrible.

      • Why in the world do companies keep insisting that datamining and delivering ads "enhances the experience for users"?

        Because it's the only way they can possibly spin advertising as being somehow pro-consumer. There's really no other way.

      • by zlives ( 2009072 )

        "enhances the experience for users"

        that's why super-fish is mandatory and installed on all their corporate PCs?

  • I've ran into this recently on a Lenovo tablet, but I don't think it was superfish (honestly I don't remember the name, but it was factory installed. ADWCleaner caught it.) although it looks like they purposely obfuscate the name to confuse people so they can't uninstall it.

    And this is Adware No. 2 for them. They had their own homebrewed Adware program called Message Center Plus. It was so bad that MSE Detected it.

    IBM knew How to make a Laptop. Lenovo Knows how to exploit a Brand Name. it's a good thing Goo

  • Comment removed (Score:5, Insightful)

    by account_deleted ( 4530225 ) on Thursday February 19, 2015 @10:28AM (#49087545)
    Comment removed based on user account deletion
  • Total Idiocy (Score:5, Informative)

    by Khyber ( 864651 ) <techkitsune@gmail.com> on Thursday February 19, 2015 @10:30AM (#49087565) Homepage Journal

    "Superfish will be removed from Program Files and Program Data directories, files in user directory will stay intact for the privacy reason. Registry entry and root certificate will remain as well."

    Which means we can crack that shit and pwn any computer that even had the software 'removed.'

    Oh, and then issuing certificates under the names of other corporations? I do believe that is identity theft, at the bare minimum.

    Lenovo should be hit in the courts hard over this.

  • by Khyber ( 864651 ) <techkitsune@gmail.com> on Thursday February 19, 2015 @11:25AM (#49088019) Homepage Journal

    Firefox maintains its own certificate database so this SSL MITM vulnerability won't affect FF users - only IE and Chrome.

  • I'm a big ThinkPad fan, but I generally go download a fresh set of drivers and run my own OS install when I buy one.

    This just sounds like a PC manufacturer wanting to juice the margin a few dollars by installing some crapware. Most techies just wipe out the crapware, but the crapware vendors pay the manufacturer to put their crapware on the machine image. Unfortunately, it looks like they went one step further and installed crapware that was spyware also.

    I'm surprised they thought they could get away with i

  • Well, I'll just add Lenovo onto my list of companies whose products I will never again purchase. That they could think this was an acceptable thing to do tells me that they cannot ever be trusted.

  • So you could say the fish was caught?

  • Really guys? This is on the Windows side. The Windows OS is one massive piece of malware. It is like you are crying over a cut when there is a massive gaping shotgun blast through the chest. Once you agree to the Windows terms of service, you are already compromised. They now have you signing in with your microsoft ID account that tracks you anyway. However, once you install GNU/Linux or Open BSD or any freedom respecting software like Trisquel or FreeSlack or Dragora, they cannot do anything to you. Lenovo
    • by Khyber ( 864651 )

      "Really guys? This is on the Windows side"

      Nope, just tried using the injection code that the malware has for FireFox under Linux (Ubuntu) - it works and injects into FF's certificate store.

      Perhaps you should do some of the work yourself instead of spouting off nonsense.

      • So what you are saying is that if you run OpenBSD, or any Libre GNU/Linux distro, Lenovo malware will break through whatever security precautions you take and own your machine? Documentation please.
  • http://i.imgur.com/kRO8OW5.png [imgur.com]

    A nice cached screencap of their (conveniently) down website.

    See all these people, here? These are the people that need to be dragged into court.

  • by WinstonWolfIT ( 1550079 ) on Thursday February 19, 2015 @02:11PM (#49089609)

    From : http://news.lenovo.com/article... [lenovo.com]

    LENOVO STATEMENT ON SUPERFISH
    Superfish was previously included on some consumer notebook products shipped in a short window between September and December to help customers potentially discover interesting products while shopping. However, user feedback was not positive, and we responded quickly and decisively:

            Superfish has completely disabled server side interactions (since January) on all Lenovo products so that the product is no longer active. This disables Superfish for all products in market.
            Lenovo stopped preloading the software in January.
            We will not preload this software in the future.

    • by Khyber ( 864651 )

      Yea, and it's a big lie as there are forum posts in JUNE talking about this exact software.

      Do you bother to do investigation before jumping to a conclusion?

  • How does interfering with user encryption this way not qualify as a violation of the Computer Fraud and Abuse Act (CFAA) ?

    • by Khyber ( 864651 )

      Considering it's bypassing BANK security stuff as well as anything else using SSL...

      Well, the execs won't see jail time - they're in fucking China.

"...a most excellent barbarian ... Genghis Kahn!" -- _Bill And Ted's Excellent Adventure_

Working...