Lenovo PCs ship with man-in-the-middle adware that breaks HTTPS connections

[#Michael]

 

Lenovo is selling computers that come preinstalled with adware that hijacks encrypted Web sessions and may make users vulnerable to HTTPS man-in-the-middle attacks that are trivial for attackers to carry out, security researchers said.

The critical threat is present on Lenovo PCs that have adware from a company called Superfish installed. As unsavory as many people find software that injects ads into Web pages, there's something much more nefarious about the Superfish package. It installs a self-signed root HTTPS certificate that can intercept encrypted traffic for every website a user visits. When a user visits an HTTPS site, the site certificate is signed and controlled by Superfish and falsely represents itself as the official website certificate.

 

This is no joke.  Anyone that bought a Lenovo pc this past fall is effected by this.  Be very careful and avoid https website until you get this fixed...including your bank's website.

 

Full article: http://arstechnica.com/security/2015/02/lenovo-pcs-ship-with-man-in-the-middle-adware-that-breaks-https-connections/

Also: http://www.theverge.com/2015/2/19/8069127/superfish-password-certificate-cracked-lenovo

[+E.Worm Jimmy Subscriber¹]

i think it is only affecting IE and Chrome

Firefox is using a different certificate system or something.  I could be wrong though as I was reading something about it hours ago for a little bit when I could not sleep. so i was mostly skimming.

 

Anyway, I use a lenovo convertible tablet for work, so I will have to check out if this is an issue on my machine (it was bought in september 2014)

 

EDIT:
 

Yet Superfish dates back by at least two years and Lenovo, which is the biggest PC manufacturer in the world, sold 16 million computers in the 4th quarter of 2014 alone.

Google Chrome and Internet Explorer users are most vulnerable, while the Firefox browser appears to be largely unaffected as it has its own list of SSL certificate providers.

 

from: http://www.ibtimes.com/millions-lenovo-pcs-vulnerable-superfish-hack-how-see-if-youre-affected-1821360

 

looks like i should be ok, though i will have to look into that next time i use my lenovo.       

 

also, another reason to like firefox (i have being using it since forever, and after trying all the others, i still love it the best)

[#Michael]

i think it is only affecting IE and Chrome

 

Firefox is using a different certificate system or something.  I could be wrong though as I was reading something about it hours ago for a little bit when I could not sleep. so i was mostly skimming.

 

 

Anyway, I use a lenovo convertible tablet for work, so I will have to check out if this is an issue on my machine (it was bought in september 2014)

 

The article says that it was installed on computers manufactured between October and December of 2014.  So you may be safe.

[Max Norris]

Just one of many reasons why the first thing I do with any pre-built device (which I try to avoid as much as humanly possible) is nuke it from orbit and start with my own install. Only way to be sure.

[greenwizard88]

The article says that it was installed on computers manufactured between October and December of 2014.  So you may be safe.

The article is quoting the original Lenovo press release, which says Oct - Dec, but was later changed to Sept - Dec.

 

Lenovo doesn't even know when it started installing it. 

[TPreston]

Don't forget this bull**** that is a massive pain to get rid of.

 

https://www.pokki.com/windows-8-start-menu

 

Crapware is just getting worse and worse.

[Intersect]

Don't forget this bull**** that is a massive pain to get rid of.

 

https://www.pokki.com/windows-8-start-menu

 

Crapware is just getting worse and worse.

now that is a site that deserves a ddos,

[spacer]

I have a Lenovo Y50 that I bought around this time last year, I think. When I heard about this, I checked my certificates and didn't find anything, but when I did a search for "superfish" in the registry, I found an entry referencing a superfish.dll that doesn't exist on my hard drive. I scanned for that sh-- and found nothing else remotely related to Superfish. I double-checked everything again, so I'm fairly certain it's not a problem for me. But it definitely seems like Lenovo has been doing this (or planning this) for a while, not just this past fall.

[greenwizard88]

The article is quoting the original Lenovo press release, which says Oct - Dec, but was later changed to Sept - Dec.

 

Lenovo doesn't even know when it started installing it. 

Since I can't find the edit button to edit this post, I need to retract what I said. ArsTechnica (who is where I was getting my info from) made a mistake and doesn't know how to use a calendar or something. The original date is probably Oct. Maybe not, but I'm less certain than I was.

[Defiantly]

JUST bought a Lenovo last week.  Wonderful.

Any idea how to find the manufacture date?

[#Michael]

JUST bought a Lenovo last week.  Wonderful.

Any idea how to find the manufacture date?

 

I'd say look to see if you have anything related to superfish installed.  That will help tell you when it is built. 

[The_Observer]

JUST bought a Lenovo last week.  Wonderful.

Any idea how to find the manufacture date?

 

https://www.canibesuperphished.com/

 

Anyone with a Lenovo laptop should follow these steps:

• Go to this web address and check to see if you get a security warning.

  • if you DO get a security warning, you're probably not infected
  • if you DON'T get a security warning, you're almost certainly infected (exception being if you've disabled security warnings like an idiot)

• If you're infected, or even if you're not and just want your computer to run faster and have less pre-installed poop, install a fresh copy of Windows.

  • It's always a good idea to install a fresh copy of Windows on a new PC since virtually every OEM pre-installs all kinds of borderline-malware. You should be at least a little computer savvy to do this. If you're infected and don't feel comfortable reinstalling Windows, you don't have many options. If it's in the return period, return it. If not, you might have to find a friend or family member who's more computer-savvy. If all else fails, if you at least have another PC, a smartphone, or a tablet with internet access, then you can certainly find a newbie-proof guide on YouTube and/or find solutions to any problems you might run into.
  • Go to your manufacturer's support page, enter your laptop's model number, and download at minimum your laptop's wifi driver. As long as you have internet access you can install any other required drivers later, and Windows Update will probably do most of them on its own. Put the wifi driver on an empty thumb drive and set it aside. Don't use the thumb drive for the next step.
  • Go here to legally download an official Windows disc image directly from Microsoft. Get the same version of Windows as your computer came pre-installed with.
  • Your laptop likely came with a tool to create recovery media. This will allow you to create a set of discs or a thumb drive which can reinstall Windows exactly as it came from the factory. It's a very good idea to do this, always.
  • Your hard drive likely has multiple partitions, one that's very small (~100 MB), one that's very large (many gigabytes), and one that's relatively small (2-20 gigabytes). The biggest and smallest ones are safe to delete while installing Windows. The medium-sized one (if it exists) is a recovery partition and should be left intact in case you need it later. Always leave it intact, it's not worth getting a tiny bit of extra hard drive space in exchange for an emergency backup.
  • Starting with Windows 8, PCs come with a serial number that's permanently pre-installed into your computer and you shouldn't need to enter a serial number or jump through hoops to activate while installation.
  • Windows takes forever to install and finish updating, Windows 8 in particular. You won't be using the laptop during the day you reinstall. Most of the setup is unattended, meaning you hit "okay" and leave it to do its thing, then come back and hit "okay" again... repeat. One important thing though, always install ALL the available Windows updates before installing a service pack ("Windows 7 SP1") or starting the free Windows 8.1 upgrade. The three times I've been unfortunate enough to bear witness to attempting to install a service pack or the 8.1 update prior to all the regular Windows updates being installed, it got half-way through the update process (hours) and then decided it couldn't update and needed to revert all the changes it'd made (more hours), then once I'd installed all the regular updates I had to install 8.1 again (hours)..

 

Source

[WinMacLin Guy]

This is an over idealistic sentiment, but I really wish there was some regulation that prevented OEMs from installing this crapware. If they really think users should use this software then just provide a little app asking the user if they want all of this OEM stuff.

 

Getting back to the non-idealistic present reality, I recommend people just reinstall Windows from scratch. Not only in this Lenovo situation, but in any situation where the OEM loads it up with intrusive anti-virus software, adware, trialware, and utilities that slow things down and create security problems.

[The_Decryptor Veteran]

i think it is only affecting IE and Chrome

Firefox is using a different certificate system or something.  I could be wrong though as I was reading something about it hours ago for a little bit when I could not sleep. so i was mostly skimming.

 

Anyway, I use a lenovo convertible tablet for work, so I will have to check out if this is an issue on my machine (it was bought in september 2014)

 

EDIT:

 

from: http://www.ibtimes.com/millions-lenovo-pcs-vulnerable-superfish-hack-how-see-if-youre-affected-1821360

 

looks like i should be ok, though i will have to look into that next time i use my lenovo.       

 

also, another reason to like firefox (i have being using it since forever, and after trying all the others, i still love it the best)

Nah, it still installs itself into Firefox, it just needs a restart or something (It's not clear I think, some people are seeing the bad cert, others aren't)

What this highlights also, is that browsers currently do a crap job at detecting TLS layer attacks. Chrome and Firefox are the only browsers that do key pinning (designed to prevent a MITM attack), but both browsers specifically allow this kind of MITM attack in fear of breaking corporate networks. This shows that the logic was flawed though, they made the entire feature useless for anybody with a lenovo computer, to appease some companies so that they didn't have to change their browser settings.

Edit: It also shows the CA trust model is broken too, but nobody is interested in changing that.

[Quillz]

I always do a clean install of the OS when I buy a new computer. Only downside is sometimes you need to reinstall OEM-specific drivers, but these are usually easy to find.

[Shiranui]

That's why I only buy Clevo laptops.

[#Michael]

So...it seems that Lenovo has been installing superfish on some computers as far back as 2010.

 

Article: http://www.nbcnews.com/tech/security/government-urges-lenovo-computer-owners-remove-superfish-software-n309871

[tagerd0g]

I received this email from Lenovo this morning at work:

 

 

 

 

LENOVO STATEMENT ON SUPERFISH

 

 

 

Dear Valued Partner,

As you may have heard, select Lenovo consumer notebooks shipped after September 2014 included Superfish Visual Discovery software as a shopping aid to customers. Superfish is a TrustE certified third-party software vendor, with offices in Palo Alto, CA.

User feedback on the software was not positive and we received some reports of security concerns.

Please note that Lenovo has NOT loaded this software on any ThinkPad notebooks, nor any desktops, tablets, workstations, servers or smartphones. The only impacted models are the following consumer notebook series: Z-series, Y-Series, U-Series, G-Series, S-Series, Flex-Series, Yoga, Miix and E-Series. If you use any of these Lenovo consumer models in your enterprise, please refer to the Customer Support information below.

While this software does not impact the models typically used by businesses, we wanted to let you know that we take user feedback seriously at Lenovo. We know that millions of people rely on our devices every day, and it is our responsibility to deliver quality, reliability, innovation and security to each and every customer. We make every effort to provide a great user experience for our customers.

We recognize that the Superfish software has caused concern. Lenovo has taken steps to address that concern.

 

 

 

[Max Norris]

Huh, "visual discovery software." Nice.

 

We appreciate your confidence in Lenovo.

Yeaaaa... no. Just jumped into the same category as Sony as far as I'm concerned. Once and done, never again. I always nuke prebuilts before touching them anyway, but now it's just the principle of it. Not the only OEM out there.

[+Warwagon MVC]

I don't know, something sounds superfish'y about this.

The problem is, even though in this case it's bundled on the computer, It seems like almost every average user has a massive adware infection on their PC. So I can see how his adware could be included in an poopack of adware or other adware doing the same thing. So it wouldn't surprise me to learn that most average Joe PC's have some sort of man in the middle attack going on.