Lenovo Still Shipping Laptops With Superfish

Ars Technica reports that weeks after Lenovo said it would stop selling computers with Superfish adware installed, it's still there for many purchasers of the company's laptops. From the article: Based on the experience of Ars readers Chai Trakulthai and Laura Buddine, Lenovo overstated both assurances. The pair recently examined a $550 Lenovo G510 notebook purchased by a neighbor, and their experience wasn't consistent with two of Lenovo's talking points. First, the PC was ordered in early February more than four weeks after Lenovo said it stopped bundling Superfish, and yet when the notebook arrived in late February it came pre-installed with the adware and the secure sockets layer certificate that poses such a threat.

"Lenovo may be saying they haven't installed Superfish since December, but the problem is that they are still shipping out systems with Superfish installed," Buddine said. "The Windows build had a date of December. They apparently aren't sorry enough to re-image the computers they have in stock to remove the problem and they're still shipping new computers with Superfish installed." Supply chains are long, and hand-work is expensive, so this might not surprise anyone. Less forgivable, though is this finding, of the software provided to purge machines of the adware: "Lenovo's software didn't begin to live up to its promise of removing all Superfish-related data. Based on its own self-generated report, the tool left behind the Superfish application itself. A scan using the Malwarebytes antivirus program found the Superfish remnants VisualDiscovery.exe, SuperfishCert.dll, and a VisualDiscovery registry setting."

Too late

My company bought 1200 Lenovo laptops last year, but now we'll never buy another Lenovo product again. I don't care if was the consumer laptop, they are no longer a company that can be trusted.

Re:Too late

[ssam]

If a company is incompetent enough to ship such insecure software, why would you trust that their firmware drivers were safe. If a company thinks its good econmic sense to ship adware, why would trust them use high quality components where they might save a few cent by cheaper low quality ones.

I have bought thinkpads in the past, because they are great hardware (i like the track point, wide set of ports even on the ultraportable x series, replacable battery, easily swapable disks, IPS screens). But my 18 month old x230 has just developed a random shutdown fault, so my opinion of Lenovo is failling fast.

Re:Too late

[sound+vision]

3 years ago I was involved in a contract to replace several thousand public school computers from Lenovo that had bad PSUs. The computers weren't just dying, they were actually catching fire.
Lenovo has been coasting on brand reputation for quite some time now.

Re:Too late

Bios compatibility is a thing. My experience is mostly with Dell non-consumer hardware, but you can generally replace most parts with non-branded ones. When you can't it is typically something that is not coded to be compatible in the BIOS, not that it's BIOS locked not to be able to use it. For example, if you get a brand new wireless card and try to put it into a 3 year old laptop, the BIOS may not support that card because it's old, not because it's locked.

Re:Never trust them again

[vadim_t]

That's a counterproductive way of doing things.

Whenever making that kind of statement towards any sort of business you're telling them that there's no point to try to correct whatever upset you, as all resources spent to that end are going to be in vain anyway.

The spyware gives them some money. If all people who hate it put Lenovo in their blacklist forever, then the most sensible business decision is keeping the spyware. The customers that hate it won't come back, and the ones that remain don't care, so nothing is gained by removing it after losing that part of the customer base.

Can't help but laugh

[ilsaloving]

I'm seeing so many posts about how people "will never buy from Lenovo again because they can't be trusted" etc etc, and can't help shrug cynically.

I wonder how many of these same people buy Sony products despite not just one, but an entire string of blatantly anti-consumer decisions (of which the rootkit CDs were just one)

Or Microsoft, which has a very long history of not just anti-consumer, but crushing the PC industry and suberting entire standards bodies. But in the last couple years they've thrown a few open source bones... yeah that totally makes up for the last 20+ years of damage they have caused.

So yeah, I hope everyone gets to enjoy their collective outrage while it lasts, cause before you know it you'll find your comments will get modded troll by people who think you're just overreacting.

Re:Can't help but laugh

[ledow]

I agree with the sentiment of your post.

However, for some of us, a principle stands out and isn't just empty words.

I do not now, and have not ever, owned an Apple or Sony product. I disagree with the way they do business, I disagree with the attitude to the consumer, and I disagree with the way they sting the prices on their equipment. There's a number of companies on my blacklist that I have said I won't buy from again. And I haven't.

Microsoft, for example, is a problem to avoid. If you work in IT, it's one company that you are very often required to support, no matter what your personal objections. However, even then, there are steps you can take. I endeavour to give Microsoft as little money as possible, and as much proportioned towards the products I agree with as possible. It's cost them many, many tens of thousands of pounds over the years.

I can't completely cut them out, but their attitude costs them all the time. IE and Bing, however, are totally unnecessary in my environments yet encourage a "lazy endorsement" of their products if you just leave them in, so I ACTIVELY do everything I can to move users off them. I often go to a new workplace and my first policy is "We don't support IE, use a real browser" for example.

Some people will bitch and moan and then go on to contradict themselves in the privacy of their own head. Some of us don't.

My current site is entirely Lenovo hardware on the client end. Be sure that Superfish is going to cost them, hard, next time I'm doing some purchasing. Sure, I might end up buying at a much heavier discount than normal (the Superfish issue cannot and have not affected me because of the way I deploy machines on fresh images as a matter of course) rather than outright blacklisting, but that's reflective of the hassle caused to any place using their hardware for business use. Almost none.

However, guess who people go to when they want purchasing advice? The IT guy. Guess which laptops they are going to be advised to avoid entirely or at the very least create a fuss when buying?

Things like this aren't zero impact. And when Superfish is just a memory, it should still play a part in people's buying opinions. But do you honestly expect permanent blacklisting for ever and ever even after the problem is fixed?

Re:Never trust them again

[SigmundFloyd]

Whenever making that kind of statement towards any sort of business you're telling them that there's no point to try to correct whatever upset you, as all resources spent to that end are going to be in vain anyway.

At the very least, heads should have rolled. And one of them had better be the CEO's. Better yet, the whole chain of command that made and approved the decision to install the malware.

Since this hasn't happened, we can safely conclude that Lenovo is in bad faith and unwilling to do what is right.