Lenovo CTO admits company 'messed up,' publishes Superfish removal tool
Lenovo plans to release an automated tool that will remove the Superfish adware from affected PCs on Friday, said the company’s chief technical officer, who admitted that Lenovo had “messed up.”
Lenovo’s CTO, Peter Hortensius, told PCWorld that the company has published instructions on how customers can remove the Superfish software themselves, but promised an automated solution by week's end. (Lenovo made the Superfish automated update tool available on Friday afternoon.)
Superfish makes visual search apps for Android and iOS, including LikeThat Decor, Pets, and Garden. The tool identifies particular objects and tries to find similar images. In 2012, the company developed WindowShopper, a technology that allowed shoppers looking for a kitchen table online, for example, to find similar products elsewhere. On Lenovo’s PCs, this software stepped in to search more than 70,000 stores to find similar items, according to a Lenovo customer posting.
The Superfish technology was preloaded on several Lenovo consumer PCs, but Lenovo halted the practice in January. Those PCs may have included:
- G Series: G410, G510, G710, G40-70, G50-70, G40-30, G50-30, G40-45, G50-45
- U Series: U330P, U430P, U330Touch, U430Touch, U530Touch
- Y Series: Y430P, Y40-70, Y50-70
- Z Series: Z40-75, Z50-75, Z40-70, Z50-70
- S Series: S310, S410, S40-70, S415, S415Touch, S20-30, S20-30Touch
- Flex Series: Flex2 14D, Flex2 15D, Flex2 14, Flex2 15, Flex2 14(BTM), Flex2 15(BTM), Flex 10
- MIIX Series: MIIX2-8, MIIX2-10, MIIX2-11
- YOGA Series: YOGA2Pro-13, YOGA2-13, YOGA2-11BTM, YOGA2-11HSW E Series: E10-30
Adi Pinhas, the chief executive of Superfish, said in an emailed statement that the company’s software had not been active on Lenovo PCs since December. “It is important to note: Superfish is completely transparent in what our software does and at no time were consumers vulnerable—we stand by this today,” he wrote. “Lenovo will be releasing a statement later today with all of the specifics that clarify that there has been no wrong doing on our end.”
Superfish has not been pre-installed on PCs from other manufacturers, Pinhas added.
Superfish security risk was the real issue
Hortensius said that the Superfish software was opt-in, meaning that customers would have to approve its use. If they did so, however, the software stepped in to deliver its own ads. The real concern, however, is that it issued its own security certificates, resigning all SSL certificates presented by HTTPS sites with its own, This is also known as a man-in-the-middle attack.
“Going forward, we feel quite strongly that we made a significant mistake here, or we missed something here,” Hortensius said. “We have procedures... where we asked the right questions, but we clearly didn’t do a thorough enough job on this. And we’re going to do a very deep investigation in what we do to make this better. We intend to do that work, and come back and let our users have input into what we need to do... and how we make sure we don’t ever repeat this again.”
“At the end of the day, we’re seeing clearly that we messed up,” Hortensius said.
Hortensius said that Lenovo and Superfish had a “minor commercial relationship,” without specifying further. The Superfish adware has not been re-installed on Lenovo PCs, and Hortensius said that if it struck a similar deal, “it would not be for a very long time”. Lenovo also pledged to talk to partners and industry experts, and announce more details on how it would deal with preinstalls by the end of the month.
With that said, Hortensius didn’t rule out adware returning to Lenovo PCs.
“I think you do this thing right, people like information and awareness,” Hortensius said, when asked whether adware would be used again. “You do them wrong, it’s obviously a disaster.”
Updated at 4:37 PM on Feb. 20 with additional details, including the addition of the automated upgrade tool.