Superfish, the creator of the dangerous adware preloaded onto many new Lenovo PCs , has finally issued an extended statement on the matter, and, well, it’s basically sticking its head in the sand and denying any wrongdoing whatsoever.
In a statement sent to PCWorld, Superfish CEO Adi Pinhas talks about how Superfish is a visual search tool designed to “enhance the online shopping experience for Lenovo customers,” and that it doesn’t collect any personal data. But beyond the PR talk, Pinhas’ statement reveals Superfish taking a startlingly oblivious position—first for what it says at one point, and also for what it brushes off an inconsequential.
Let’s start with what’s written down. Here’s the passage:
“There has been significant misinformation circulating about Superfish software that was pre-installed on certain Lenovo laptops… Despite the false and misleading statements made by some media commentators and bloggers, the Superfish software does not present a security risk.”
Ironically, at around the same time representatives sent us the email, the United States Computer Emergency Readiness Team issued an official alert warning of the considerable dangers of the Superfish adware preloaded on many Lenovo consumer PCs. US-CERT recommends removing Superfish and its root certificate from affected PCs.
"Systems that came with the software already installed will continue to be vulnerable until corrective actions have been taken," US-CERT warns.
Why? Because of the deeper issue at play here—one that Pinhas’s statement brushes off.
The core issue with the Superfish adware isn’t that it may or may not be tracking customer behavior. (Both Lenovo and Superfish say it isn’t.) The problem is that the web is increasingly embracing encrypted HTTPS connections, and in order to inject its ads into secured sites, Superfish uses the equivalent of a man-in-the-middle attack to interfere with encrypted HTTPS connections—undermining the trust between users and websites. How? By installing a self-signed root certificate deep inside Windows, which it then uses to re-sign SSL certificates from legitimate websites.
Worse, Superfish uses the same certificate on every affected Lenovo system, and it does so using a weak, depreciated version of encryption. In fact, security researchers have already extracted the private key for the certificate. Hackers can easily launch their own man-in-the-middle attacks on users of affected Lenovo PCs by leveraging this shocking vulnerability put in place for Superfish.
That’s very, very, very bad.
Pinhas says “a vulnerability was introduced unintentionally by a third party,” but it’s downright shocking for him to say “Superfish software does not present a security risk.” While Pinhas is technically true—the true danger lies in the certificate, not the Superfish software itself—to say that Superfish “does not present a security risk” as it was implemented in Lenovo’s PCs seems incredibly disingenuous.
Fortunately, others technological giants are already moving to fix the vulnerability.
Lenovo stopped using the Superfish software in January, and its contrite CTO told PCWorld “We messed up” while vowing to provide a tool to remove Superfish from affected PCs. While we haven’t seen that yet, Microsoft quickly pushed out a Windows Defender update that eliminates the Superfish adware and the root certificate in Windows, but not the Superfish certificate stored in Firefox’s separate certificate manager, if you use that browser. Likewise, some other antivirus solutions identify Superfish as adware or a potentially unwanted program, but won’t remove the rogue certificate from Windows or Firefox.
If you want to truly eradicate the Superfish adware and its dangerous certificate from your Lenovo PC—you know, like the United States government recommends—it’s best to remove everything manually, just to be sure. PCWorld’s guide to removing Superfish from your Lenovo PC can help you do just that.
Oh, and the third-party company that created the certificate that compromised encrypted connections for Superfish? It’s called Komodia, and it’s stuffed similarly dangerous root certificates into other programs, too. Enjoy your weekend.