The first sign that Lenovo is still struggling to understand the enormity of its screwup is when it claims “Users are given a choice over whether or not to use the product.” This is flatly untrue. Superfish shipped as a pre-installed default on user systems, the only “choice” users were given was whether or not to click “Accept” on the entire laptop. There’s zero evidence suggesting that users were aware that doing so would fatally compromise user security. Our guide to removing Superfish and its false certificate is available here.
An evolving message and a very deep hole
Lenovo’s first responses to this problem were a mixture of tone-deaf and defiant, loudly certifying that the company had created no security flaw, that all such issues were theoretical, and that it stood by the security of the Superfish software. This changed later — sentences like “We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns” have now been stricken from the record. Lenovo has also walked back its support for Superfish, though the CEO of that company, Adi Pinhas, still claims that Superfish is “completely transparent.”
Just the shopping experience you wanted.
It’s
possible that Lenovo has begun to wake up to just who it jumped in bed
with. Forbes has an extensive profile on Mr. Pinhas’ history, and it’s
not a flattering one. Superfish has been behind multiple previous adware
and malware products, including the much-maligned Window Shopper. It’s
also now been discovered
that the same company has provided a similar solution to multiple other
software solutions, including “Keep My Family Secure” (produced
directly by the company), Qustodio’s parental control software, and
Kurupira’s Webfilter. In every case, the private key sequence is always
“komodia.”Possibly impacted systems
Lenovo has released a list of affected systems, but the wording is rather odd. The company states that Superfish may have appeared on the following models: (emphasis added)G Series: G410, G510, G710, G40-70, G50-70, G40-30, G50-30, G40-45, G50-45
U Series: U330P, U430P, U330Touch, U430Touch, U530Touch
Y Series: Y430P, Y40-70, Y50-70
Z Series: Z40-75, Z50-75, Z40-70, Z50-70
S Series: S310, S410, S40-70, S415, S415Touch, S20-30, S20-30Touch
Flex Series: Flex2 14D, Flex2 15D, Flex2 14, Flex2 15, Flex2 14(BTM), Flex2 15(BTM), Flex 10
MIIX Series: MIIX2-8, MIIX2-10, MIIX2-11
YOGA Series: YOGA2Pro-13, YOGA2-13, YOGA2-11BTM, YOGA2-11HSW
E Series: E10-30
I’m genuinely uncertain what to make of the words “May have.” Microsoft has its Signature series, where you can buy laptops from other vendors that are guaranteed to ship without bloatware of any kind, but apart from those systems, Lenovo should know whether or not its laptops shipped with this software or not.
The company has yet to release an actual tool for removing the software and security certificate, but Microsoft has already updated its own Windows Defender to do so. Firefox and Thunderbird users, however, will still need to clean those systems manually.