Warning: Lenovo Computers Shipped With 'Superfish' Malware

Article Placeholder Image
By Mark Wilson, Esq. on February 19, 2015 1:55 PM

If you recently bought Lenovo computers for your office or firm, then you may want to make sure they're not running a vicious piece of adware that can impersonate a website's security certificate.

According to various reports, confirmed by security researchers, some Lenovo-brand computers ship with a kind of malware called "Superfish" that injects advertisements into users' browsers and impersonates security certificates, meaning the "secure" website you're visiting isn't secure at all.

A Security Hole the Size of Houston

The point of Superfish is just to be annoying and present ads in your browser (companies are irate that people are using ad-blocking software), but the software's developers achieved this relatively benign purpose by opening up a giant security hole that breaks secure connections.

The malware works using a "man in the middle" attack, in which the Superfish software intercepts traffic destined for a website, injects ads into the traffic, then sends the traffic back to the user's Web browser. This is bad enough, but Superfish installs a security certificate on a user's computer so that it can inject ads into secure websites that use HTTPS as well. (Because the certificate is installed at the operating system level, all Web browsers are vulnerable.)

When processing information from a secure site, Superfish replaces the website's security certificate with its own, self-signed certificate. While Superfish isn't currently using this to misrepresent websites, there's nothing stopping some enterprising hackers from using the Superfish certificate to falsely claim that a website is, for example, Bank of America when it really isn't. A security researcher cracked the certificate's encryption, meaning that anyone who can crack the encryption can use the certificate's private key to falsely present a website as secure when it isn't.

Is Your Computer Affected?

According to Ars Technica, Superfish was preinstalled on Lenovo computers shipped between October and December 2014. The following models are affected:

  • G Series: G410, G510, G710, G40-70, G50-70, G40-30, G50-30, G40-45, G50-45
  • U Series: U330P, U430P, U330Touch, U430Touch, U530Touch
  • Y Series: Y430P, Y40-70, Y50-70
  • Z Series: Z40-75, Z50-75, Z40-70, Z50-70
  • S Series: S310, S410, S40-70, S415, S415Touch, S20-30, S20-30Touch
  • Flex Series: Flex2 14D, Flex2 15D, Flex2 14, Flex2 15, Flex2 14(BTM), Flex2 15(BTM), Flex 10
  • MIIX Series: MIIX2-8, MIIX2-10, MIIX2-11
  • YOGA Series: YOGA2Pro-13, YOGA2-13, YOGA2-11BTM, YOGA2-11HSW
  • E Series: E10-30

If you're not sure whether your computer is running Superfish, head to this website to find out if you have the Superfish certificate installed. The site also provides removal instructions.

If you're extremely worried and want to reformat and reinstall, make sure you do so from the Windows installation disc and not the manufacturer's "restore" disc, as the latter will likely reinstall all the preinstalled junkware.

Related Resources: