Slashdot Mirror
Lenovo Still Shipping Laptops With Superfish
Ars Technica reports that weeks after Lenovo said it would stop selling computers with Superfish adware installed, it's still there for many purchasers of the company's laptops.
From the article:
Based on the experience of Ars readers Chai Trakulthai and Laura Buddine, Lenovo overstated both assurances. The pair recently examined a $550 Lenovo G510 notebook purchased by a neighbor, and their experience wasn't consistent with two of Lenovo's talking points. First, the PC was ordered in early February more than four weeks after Lenovo said it stopped bundling Superfish, and yet when the notebook arrived in late February it came pre-installed with the adware and the secure sockets layer certificate that poses such a threat.
"Lenovo may be saying they haven't installed Superfish since December, but the problem is that they are still shipping out systems with Superfish installed," Buddine said. "The Windows build had a date of December. They apparently aren't sorry enough to re-image the computers they have in stock to remove the problem and they're still shipping new computers with Superfish installed." Supply chains are long, and hand-work is expensive, so this might not surprise anyone. Less forgivable, though is this finding, of the software provided to purge machines of the adware: "Lenovo's software didn't begin to live up to its promise of removing all Superfish-related data. Based on its own self-generated report, the tool left behind the Superfish application itself. A scan using the Malwarebytes antivirus program found the Superfish remnants VisualDiscovery.exe, SuperfishCert.dll, and a VisualDiscovery registry setting."
"Lenovo may be saying they haven't installed Superfish since December, but the problem is that they are still shipping out systems with Superfish installed," Buddine said. "The Windows build had a date of December. They apparently aren't sorry enough to re-image the computers they have in stock to remove the problem and they're still shipping new computers with Superfish installed." Supply chains are long, and hand-work is expensive, so this might not surprise anyone. Less forgivable, though is this finding, of the software provided to purge machines of the adware: "Lenovo's software didn't begin to live up to its promise of removing all Superfish-related data. Based on its own self-generated report, the tool left behind the Superfish application itself. A scan using the Malwarebytes antivirus program found the Superfish remnants VisualDiscovery.exe, SuperfishCert.dll, and a VisualDiscovery registry setting."
My company bought 1200 Lenovo laptops last year, but now we'll never buy another Lenovo product again. I don't care if was the consumer laptop, they are no longer a company that can be trusted.
Although I consider Lenovo fully responsible (and liable) for SuperPhish in the first place, I could easily see the removal tool's inefficacy stemming from it being a panicked rush job.
.
From that point of view, why should they reimage the drives of notebooks in inventory?
At the very least, heads should have rolled. And one of them had better be the CEO's. Better yet, the whole chain of command that made and approved the decision to install the malware.
Since this hasn't happened, we can safely conclude that Lenovo is in bad faith and unwilling to do what is right.
Knowledge is power; knowledge shared is power lost.