Superfish: Lenovo ditches adware, but that doesn't fix SSL megavuln – researcher

It does seem like the recommendation I have made lately to friends and family asking my advice on new computers to format and do a clean install does carry some additional merit apart from getting rid of crudrefuses to uninstall properly.

Removing it

Lots of articles say the only way to be sure you have got rid of everything is to reinstall Windows and avoid using the Windows image supplied with the machine.

The problem is that won't work. The version of windows on it is the cut price "Windows 8.1 with Bing" for which Microsoft has never issued a public ISO. Standard version of Windows will not work.

So without buying a whole new version of Windows we are left just trying to fix the obvious stuff and hope we didn't miss anything.

SSL Certificate now public

Robert Graham has gone further and decrypted the private key for the certificate, which is installed as trusted on who-knows-how-many systems.

http://blog.erratasec.com/2015/02/extracting-superfish-certificate.html

They can charge more for the laptops. After all a lot of my customers are happy to pay me £50 to remove the crapware and set the laptop up like a Mac would come out of the box.

Improves the user experience no end.

Superfish comes with Lenovo consumer products only

Because, of course, we wouldn't jeopardize our lucrative SMB and Enterprise business by pulling this shit on them.

having worked at a UK OEM developing preloads, I (and others) campaigned wthin the company to keep things as vanilla as possible. Our users loved our installs, no adware, no trials.

We went bust.

The majority had spoken, they wanted the cheapest junk around, and now they have it. It speaks wonders for the concept of Democracy...those who may know better get to sit and watch the bulk destroy everything. I would chime in something about flies buying ipads and this site ending up being redesigned but that would be a total cheap shot.

Simpler: Don't buy Chinese computers/mobes. Stick with Chinese furniture, etc.

I make it easi(er) on myself. I don't buy Chinese computer/mobe products. The government there whines about how messed up the place is with rampant, non-state, hacking, and if the Red Army or the politburo isn't quietly mandating backdoors in firmware, they will get them in anyway (why should the NSA have all the fun?), and in this case Lenovo is showing a pretty clear evidence of security ignorance in getting non-domestic crapware—Israeli is this instance—on your machine in the first place, and dishonesty in lying about how long ago it was getting installed.

This doesn't guarantee security on a Mac, or even on a Blackphone. It gets me a bit closer.

"discover products visually"

Don't you just love PR twonks?

Reality check : it displays adverts so we can get some money

MS removal instructions don't work

I've got one of the afinfected laptops - first thing I did with it was remove all the crud, of course, however this article got me double checking, and while Superfish itself is nowhere to be seen sure enough the root cert was there.

The MS instructions don't work on 8.1, at least not on my machine - the Remove option is greyed out. I had to go into certmgr.msc to delete it.

Needless to say, it will be the last Lenovo machine I ever buy...

Are there others?

Is Superfish the only one? I do wonder about the other vendors....

Sue them!

I want California Attorney General Kamala Harris to file suit against any US-based arm of this bunch of crooks for criminal conspiracy to violate any number of privacy laws. I want Superfish indicted as co-conspirators.

I want them both to bleed money over this.

I want them both out of business.

I want any other batch of idiots who think spoofing root certificates is OK to realize that is corporate suicide.

And I think Kamala is the one to do this, because she's running for US Senator and likely is looking for a nice shouty platform to get some attention.

You go girl!

If we self-ban any vendors who do this shit...

We'll run out of vendors to buy from.

And when you decide to go "old school" again, the paper you write on will have a watermarked ad on it, and the pens will reveal a bikini shop website, rather than an actual bikini-clad girl.

When you're tired of that, the knife you use to slash your wrists will be engraved with the phone number of a very privately run hosptial. And since insurance won't cover you, bring you credit card, you know, the one with more ads on it. Hold onto it, you're going to need some reading material while you're waiting in the emergency room alongside everyone who had the same idea.

Since this isn't a suitable outcome, we should loudly and publically make fun of them at every opportunity. Yes, that's you, Lenovo, Sony, LG, Samsung and all the other f**kers who are going try it in future.

I can just about understand the marketing team at Lenovo being hoodwinked into buying this 'service' (I've worked in organisations where this kind of "value add" is sold to "partners" as a way to make money on a low margin product/service (Phorm, ISP NXDOMAIN hijacking 'search', etc)), but how Superfish can get away with this is beyond me. How can it even be legal?

The average Lenovo consumer laptop buyer (or anyone for that matter) should never have to check their root certificates; years of implicit trust in the address-bar-padlock have just been wiped out by these people.

I wonder if this was why the Lenovo I bought last year had two extra partitions pre-installed that only DISKPART saw. I blew them straight to data hell, along with Windows 8, when I was upgrading it to Windows 7 but I've always wondered what the hell they existed for. I doubt the certificate survived the formatting but now I have to check.

Last time I buy a product from them though, I'll tell you that. I knew I should have just plunked down the extra 200 bucks for the MacBook Air and Windows 7 license.

About that root certificate...

This whole thing is disgusting, so please don't think I'm sticking up for Lenovo here, but (not having the equipment to test) I'm puzzled about the issues involving their local root certificate.

Surely it is only accepted by the local browsers when they talk to the superfish program, and NOT the Superfish program as it talks to the outside world, therefore making concerns over thr cerificate key strength/password etc. moot?

Extending on this, interestingly it would become a problem only when the software is removed if the client-installed root certificate is left behind!

"To be clear, Superfish comes with Lenovo consumer products only and is a technology that helps users find and discover products visually. The technology instantly analyzes images on the web and presents identical and similar product offers that may have lower prices, helping users search for images without knowing exactly what an item is called or how to describe it in a typical text-based search engine."

Because the only reason to own a computer is to go shopping?