Lenovo Still Shipping Laptops With Superfish

Ars Technica reports that weeks after Lenovo said it would stop selling computers with Superfish adware installed, it's still there for many purchasers of the company's laptops. From the article: Based on the experience of Ars readers Chai Trakulthai and Laura Buddine, Lenovo overstated both assurances. The pair recently examined a $550 Lenovo G510 notebook purchased by a neighbor, and their experience wasn't consistent with two of Lenovo's talking points. First, the PC was ordered in early February more than four weeks after Lenovo said it stopped bundling Superfish, and yet when the notebook arrived in late February it came pre-installed with the adware and the secure sockets layer certificate that poses such a threat.

"Lenovo may be saying they haven't installed Superfish since December, but the problem is that they are still shipping out systems with Superfish installed," Buddine said. "The Windows build had a date of December. They apparently aren't sorry enough to re-image the computers they have in stock to remove the problem and they're still shipping new computers with Superfish installed." Supply chains are long, and hand-work is expensive, so this might not surprise anyone. Less forgivable, though is this finding, of the software provided to purge machines of the adware: "Lenovo's software didn't begin to live up to its promise of removing all Superfish-related data. Based on its own self-generated report, the tool left behind the Superfish application itself. A scan using the Malwarebytes antivirus program found the Superfish remnants VisualDiscovery.exe, SuperfishCert.dll, and a VisualDiscovery registry setting."

Too late

My company bought 1200 Lenovo laptops last year, but now we'll never buy another Lenovo product again. I don't care if was the consumer laptop, they are no longer a company that can be trusted.

Re:Too late

[sumdumass]

Unless his company disolves or passes the burden of purchaseing laptops onto employees in the future, there will be a need in 3-5 years to get new ones.

However, 1200 laptops, with a company that large it should be using volume licensing and reimaging the computers with their own keyed software. This would negate anything the manufacturer does. Is there something with new laptops making this impractical?

Re:Too late

I don't think they're worried about the OS level stuff, but more that if they'll load malware onto a consumer product intentionally they might consider loading other less savory things into firmware or something similar. There's worry about the slippery slope rather than the actual Superfish fiasco.

Re:Too late

[ssam]

If a company is incompetent enough to ship such insecure software, why would you trust that their firmware drivers were safe. If a company thinks its good econmic sense to ship adware, why would trust them use high quality components where they might save a few cent by cheaper low quality ones.

I have bought thinkpads in the past, because they are great hardware (i like the track point, wide set of ports even on the ultraportable x series, replacable battery, easily swapable disks, IPS screens). But my 18 month old x230 has just developed a random shutdown fault, so my opinion of Lenovo is failling fast.

Re:Too late

[Aighearach]

If they're buying consumer grade laptops for employees, they'll just buy whatever is cheap in 5 years, and the bean counter won't listen to the whining about which brands anybody wants. That's true even if the CTO was overheard in the cafeteria saying, "Gosh, we'll never buy from them again!"

Re:Too late

[thegarbz]

If a company is incompetent enough to ship such insecure software, why would you trust that their firmware drivers were safe. If a company thinks its good econmic sense to ship adware, why would trust them use high quality components where they might save a few cent by cheaper low quality ones.

That's an easy answer. Companies are ignorant machines. A company isn't incompetent, certain parts of it are. While a small group of idiots thought it may be a good idea to do one thing, it is quite likely that the other group (responsible for firmware or hardware) had no idea that it was going on, have far better quality for their own segment, and the people may have even been against it had they known.

I postulate that the people assembling the hardware or the firmware had no idea what malware was being installed on the final machine, and that one has nothing to do with the other.

Re:Too late

[sound+vision]

3 years ago I was involved in a contract to replace several thousand public school computers from Lenovo that had bad PSUs. The computers weren't just dying, they were actually catching fire.
Lenovo has been coasting on brand reputation for quite some time now.

Lenovo

Lenovo were the only ones who were caught. And:

Criticisms of Superfish software predated the "Lenovo incident" and were not limited to the Lenovo user community: as early as 2010, Apple, Mozilla Firefox, and Microsoft Windows users had expressed concerns in online support and discussion forums that Superfish software had been installed on their computers without their knowledge, by being bundled with other software.

After that there is some finger pointing by the CEO of Superfish at another company.

Anyway, when it comes to this shit and cheap computers that subsidize their prices with adware/malware/advertising/etc ..., I just clean all that shit off and then some other things - and it tickles me that the asshole companies like Superfish are getting screwed because they won't be getting any ad revenue from me or anyone else that I cleaned a machine for.

Rush job?

[DoofusOfDeath]

Although I consider Lenovo fully responsible (and liable) for SuperPhish in the first place, I could easily see the removal tool's inefficacy stemming from it being a panicked rush job.

Re: Rush job?

[Kvathe]

Agreed. The original superfish bundling was a bad move, but this seems like more a case of Hanlon's Razor. It's hard to discount stupidity when talking about Lenovo.

Re: Rush job?

[SigmundFloyd]

I think Hanlon's razor (never attribute to malice what can be explained by stupidity) is way too optimistic about human nature.

Lenovo has no ethics, pure and simple. As far as I'm concerned, they lost a prospective customer.

Never trust them again

[gman003]

This was such a blatantly anti-customer move that I will never - NEVER - be a Lenovo customer again. They cannot be trusted, and probably can never be trusted again because any "change" could just be a whitewashing campaign, not a real change.

This is simply more evidence that they deserve all the shit they're getting, and more.

Re:Never trust them again

[vadim_t]

That's a counterproductive way of doing things.

Whenever making that kind of statement towards any sort of business you're telling them that there's no point to try to correct whatever upset you, as all resources spent to that end are going to be in vain anyway.

The spyware gives them some money. If all people who hate it put Lenovo in their blacklist forever, then the most sensible business decision is keeping the spyware. The customers that hate it won't come back, and the ones that remain don't care, so nothing is gained by removing it after losing that part of the customer base.

Re:Never trust them again

[websitebroke]

I think what the OP is getting at is that if enough people don't trust Lenovo, and Lenovo goes under as a result, it would be a great lesson to the other manufacturers that putting this sort of crapware on their machines doesn't pay in the long run. It's not an unreasonable point of view, but I think you're right, because I think the Superfish debacle won't be enough to drive Lenovo out of business. All we have left is the carrot of being a potential future customer since the stick of beating down Lenovo won't be effective.

Re:Never trust them again

[SigmundFloyd]

Whenever making that kind of statement towards any sort of business you're telling them that there's no point to try to correct whatever upset you, as all resources spent to that end are going to be in vain anyway.

At the very least, heads should have rolled. And one of them had better be the CEO's. Better yet, the whole chain of command that made and approved the decision to install the malware.

Since this hasn't happened, we can safely conclude that Lenovo is in bad faith and unwilling to do what is right.

Lenovo is looking at this from a profit PoV

[QuietLagoon]

Lenovo is not looking at this from a customer point of view. They are looking to minimize the damage to their profits caused by their arrogant ignorance

.
From that point of view, why should they reimage the drives of notebooks in inventory?

Re:Is there really a Slashdot-ish user affected ?

[plover]

Your average home user doesn't reinstall anything, and for many reasons.

Even if he or she wanted to, they won't have a viable consumer OS installation disk anymore. They get the "System Recovery Disk" with their new purchase, and it's likely filled with the same Lenovo image that was used to bundle the malware in the first place.

Can't help but laugh

[ilsaloving]

I'm seeing so many posts about how people "will never buy from Lenovo again because they can't be trusted" etc etc, and can't help shrug cynically.

I wonder how many of these same people buy Sony products despite not just one, but an entire string of blatantly anti-consumer decisions (of which the rootkit CDs were just one)

Or Microsoft, which has a very long history of not just anti-consumer, but crushing the PC industry and suberting entire standards bodies. But in the last couple years they've thrown a few open source bones... yeah that totally makes up for the last 20+ years of damage they have caused.

So yeah, I hope everyone gets to enjoy their collective outrage while it lasts, cause before you know it you'll find your comments will get modded troll by people who think you're just overreacting.

Re:Can't help but laugh

[ledow]

I agree with the sentiment of your post.

However, for some of us, a principle stands out and isn't just empty words.

I do not now, and have not ever, owned an Apple or Sony product. I disagree with the way they do business, I disagree with the attitude to the consumer, and I disagree with the way they sting the prices on their equipment. There's a number of companies on my blacklist that I have said I won't buy from again. And I haven't.

Microsoft, for example, is a problem to avoid. If you work in IT, it's one company that you are very often required to support, no matter what your personal objections. However, even then, there are steps you can take. I endeavour to give Microsoft as little money as possible, and as much proportioned towards the products I agree with as possible. It's cost them many, many tens of thousands of pounds over the years.

I can't completely cut them out, but their attitude costs them all the time. IE and Bing, however, are totally unnecessary in my environments yet encourage a "lazy endorsement" of their products if you just leave them in, so I ACTIVELY do everything I can to move users off them. I often go to a new workplace and my first policy is "We don't support IE, use a real browser" for example.

Some people will bitch and moan and then go on to contradict themselves in the privacy of their own head. Some of us don't.

My current site is entirely Lenovo hardware on the client end. Be sure that Superfish is going to cost them, hard, next time I'm doing some purchasing. Sure, I might end up buying at a much heavier discount than normal (the Superfish issue cannot and have not affected me because of the way I deploy machines on fresh images as a matter of course) rather than outright blacklisting, but that's reflective of the hassle caused to any place using their hardware for business use. Almost none.

However, guess who people go to when they want purchasing advice? The IT guy. Guess which laptops they are going to be advised to avoid entirely or at the very least create a fuss when buying?

Things like this aren't zero impact. And when Superfish is just a memory, it should still play a part in people's buying opinions. But do you honestly expect permanent blacklisting for ever and ever even after the problem is fixed?

The solution is simple

[kheldan]

Wipe the drive and do a clean install of Windows. You'll probably also be getting rid of a whole bunch of other bloatware in the process anyway, so win-win.

Re:Genral Consumer vs. Business Models

[HiThere]

It's not even so much morality as self interest. If they'll do this to some of their customers, they'll do it to others, so you don't want to be one of those others. And if software is too easily removed they're quite capable of doing it in firmware.

Doing business only with reputable companies falls within the area of "enlightened self-interest" rather than altruism.