Lenovo’s choice to pre-install Superfish software on its computers has introduced a security vulnerability that makes customers vulnerable to HTTPS man in the middle attacks, according to security researchers.
The Superfish software, which Lenovo claims helps users find similar products at lower prices, also installs a self-signed root HTTPS certificate that can intercept encrypted traffic for every website a user visits.
This means that when owners of Lenovo computers with the adware installed visit an HTTPS site, the site certificate is signed and controlled by Superfish so that it can inject adverts Lenovo wants to push.
US security researcher Chris Palmer confirmed that Superfish represents itself as the official website certificate by visiting the Bank of America website using a new Lenova Yoga 2, reported Ars Technica.
Palmer found that the certificate for the site was not signed by certificate authority VeriSign as it should have been, but instead by Superfish.
He found that the same Superfish-signed certificate was presented to his browser when he visited other HTTPS-protected websites, which means there is not any HTTPS-protected website that is not affected.
Palmer then found that the private key for the Superfish certificate installed on his Yoga 2 contained the same private key as a Superfish certificate installed on another Lenovo PC.
This means attackers could potentially use the certificate to create fake HTTPS websites that would not be detected by vulnerable Lenovo machines.
MORE ON ADWARE
- University researchers document Android adware privacy risks
- Symantec ends adware lawsuit
- Adware targets Mac OS X
- Security report finds rise in banking Trojans, adware, fewer viruses
- Can companies control their affiliate-based adware?
It is not known how many Lenovo computers are affected, but the company has “temporarily removed” Superfish from its consumer systems.
In late January, a Lenovo representative said in a blog post that the Superfish browser add-on had been removed “due to some issues (browser pop-up behaviour for example)”.
He said Superfish had been asked to address these issues and that for units already in the market, Lenovo had requested Superfish to create an auto-update to fix these issues.
The blog post did not acknowledge any security risk, but said the Superfish software is pre-installed on consumer products only and does not profile or monitor user behaviour.
“It does not record user information. It does not know who the user is. Users are not tracked nor re-targeted,” wrote Mark Hopkins, program manager, Lenovo social media services.
The Superfish man in the middle vulnerability reportedly affects Internet Explorer and Google Chrome, but not Mozilla Firefox which maintains its own certificate store.
Some Twitter users have called for computer suppliers to be banned from pre-installing anything besides operating systems and necessary drivers.
Some security commentators have advised Lenovo PC owners concerned about Superfish to install a known clean version of their operating system.
Other security experts have said that while a clean operating system install is preferable, it is not always practical.
“Pre-installed software is always a concern because there's often no easy way for a buyer to know what that software is doing – or if removing it will cause system problems further down the line,” said Chris Boyd, malware intelligence analyst at security firm Malwarebytes.
He recommended that affected Lenovo computer owners should uninstall the Superfish software then type certmgr.msc into their Windows search bar. “From there, they can find and remove the related root certificate,” he said.
Lenovo has issued a statement in response to the furore on Twitter and other online forums, saying that in response to negative user feedback, Superfish is no longer being installed.
“Superfish has completely disabled server side interactions (since January) on all Lenovo products so that the product is no longer active. This disables Superfish for all products,” the company said.
“Lenovo stopped pre-loading the software in January and we will not pre-load this software in the future,” the statement said.
But Lenovo said it has investigated the technology “thoroughly” and did not find any evidence to substantiate security concerns.
“Users reacted to this issue with concern so we have taken direct action to stop shipping any products with this software,” the company said.
Lenovo reiterated that Superfish technology is based on contextual/image and not behavioural, that it does not profile nor monitor user behaviour, and that it does not record user information.
“The relationship with Superfish is not financially significant; our goal was to enhance the experience for users. We recognise that the software did not meet that goal and have acted quickly and decisively,” the company said.
Lenovo said it is providing user support on the company’s forums for any users with concerns.