Slashdot Mirror

← Back to Stories (view on slashdot.org)

Lenovo Allegedly Installing "Superfish" Proxy Adware On New Computers

Posted by timothy on from the hey-man-you're-s'posed-to-join-the-nsa-first dept.

An anonymous reader writes It looks like Lenovo has been installing adware onto new consumer computers from the company that activates when taken out of the box for the first time. The adware, named Superfish, is reportedly installed on a number of Lenovo's consumer laptops out of the box. The software injects third-party ads on Google searches and websites without the user's permission. Another anonymous reader points to this Techspot article, noting that that it doesn't mention the SSL aspect, but this Lenovo Forum Post, with screen caps, is indicating it may be a man-in-the-middle attack to hijack an SSL connection too. It's too early to tell if this is a hoax or not, but there are multiple forum posts about the Superfish bug being installed on new systems. Another good reason to have your own fresh install disk, and to just drop the drivers onto a USB stick. Also at ZDnet.

11 of 248 comments (clear)

  1. All the more reason... by AltGrendel · · Score: 5, Insightful

    ...to wipe the box and install some other OS.

    --
    The simple truth is that interstellar distances will not fit into the human imagination

    - Douglas Adams

    1. Re:All the more reason... by cdrudge · · Score: 5, Insightful

      Why ditch Windows when it's allegedly Lenovo that did the dirty work. If Lenovo shipped a laptop with Linux installed on it with a similar piece of malware, would you be saying ditch Linux too?

    2. Re:All the more reason... by Thor+Ablestar · · Score: 1, Insightful

      Yes. Any new computer is to be completely wiped and reinstalled from scratch. And, if possible, with reflashing of BIOS and every firmware imaginable.

    3. Re:All the more reason... by Anonymous Coward · · Score: 1, Insightful

      Because its Microsoft that originally pushed the no OS disc provided your software is all on the hard drive that allows this kind of crap to happen.

    4. Re:All the more reason... by Anonymous Coward · · Score: 5, Insightful

      Don't forget to reflash EVERY blob of NAND or ROM inside that box, especially the hard drive firmware. And make sure that the present firmware actually does the flash command you believe you're asking of it, rather than lying about success. I hope you didn't download that new firmware (when's the last time your HDD vendor did that?) on a Lenovo, that's riddled with unsound root certificates.

      Are you sure that some magical combination of ASM.JS opcodes, as they are being decoded by your CPU, don't trigger a carefully crafted pagetable bug? Is your RAM hammer proof? That's a nice WIFI card you have hooked up to the PCIe bus, what does it really do with malformed data? What about your phone's baseband, and the teeny remotely operated JVM inside your SIM card?

  2. worse a fake root certificate! by Billly+Gates · · Score: 4, Insightful

    What were Lenovo thinking? People pay bills online you know. Easily can steal lots of information

    As much as we bashed RMS here for being a lunatic he has a point with trusting a for profit entity making closed source software.

    --
    http://saveie6.com/
    1. Re:worse a fake root certificate! by QuasiSteve · · Score: 5, Insightful

      Wouldn't really need one - SuperFish works in such a way that it inserts itself for any site. What would it do otherwise, keep a blacklist of all the possible banking/investment/whatever sites in the world that it should ignore?

      So yes, bankofamerica.com courtesy of SuperFish, but also facebook courtesy of SuperFish and YouTube courtesy of SuperFish and Mom & Pop's corner store courtesy of SuperFish.

      It's a nasty piece of software in that its intent is to serve up ads (and/or collect information, of course), but this sort of thing is also readily available on the market for parents who want to keep tabs on little johnny's browsing habits or bosses who want to keep tabs on their employees. Unless johnny/employee / their browser checks the certificate and notices it's probably not what it's supposed to be despite being perfectly valid, bob's your uncle.

  3. Re:Revenge by kelarius · · Score: 5, Insightful

    It's more likely that Lenovo installed this software because they were paid to do so (either directly or through kickbacks to Mike Hopkins or whatever VP) and they simply didn't vet the software to make sure that it wasn't malicious. So while some people in the organization may be guilty of negligence they would never get convicted on anything close to CFAA levels.

    --
    Personally I'd rather have my idiots at home glued to the TV than out doing idiotic things
  4. Re:Revenge by Anonymous Coward · · Score: 3, Insightful

    You seem to believe that laws apply equally to corporations and people. You must not be American.

  5. Don't dismiss RMS by matbury · · Score: 4, Insightful

    Richard Stallman is spot on regarding free and open source software (FOSS). He warns us about how proprietary, closed source software can be abused and that our dependency on it is a danger to civil society. In case you didn't see it the first time round: https://www.youtube.com/watch?... Only an idiot would dismiss the concerns he raises.

  6. Re:Lenovo website says they deactivated it... by JohnFen · · Score: 4, Insightful

    Yes, that response was insufficient on a number of points. But what struck me about their statement was this:

    The relationship with Superfish is not financially significant; our goal was to enhance the experience for users.

    Why in the world do companies keep insisting that datamining and delivering ads "enhances the experience for users"? They can't possibly believe that. If they do, then they're hopelessly delusional. If they don't, then they're scumbag liars. Either way, it does nothing but make them look terrible.