Lenovo has defended the installation of the Superfish software, saying that there is no evidence to substantiate security concerns.
In a statement, Superfish was previously included on some consumer notebook products shipped in a short window between October and December to help customers potentially discover interesting products. After user feedback was not positive, it was subsequently disabled at server side from January in all Lenovo products, disabling Superfish for all products.
It also claimed that it stopped preloading the software in January, and has no plans to preload this software in the future.
“Superfish technology is purely based on contextual/image and not behavioural,” Lenovo said. “It does not profile nor monitor user behaviour. It does not record user information. It does not know who the user is. Users are not tracked nor re-targeted. Every session is independent. Users are given a choice whether or not to use the product.
“The relationship with Superfish is not financially significant; our goal was to enhance the experience for users. We recognise that the software did not meet that goal and have acted quickly and decisively.”
Lenovo pointed concerned users to its forums, acknowledging the security concerns. “We will continue to review what we do and how we do it in order to ensure we put our user needs, experience and priorities first,” it said.
“Our goal is to find technologies that best serve users. In this case, we have responded quickly to negative feedback, and taken decisive actions to ensure that we address these concerns.”
A comment request to Superfish from IT Security Guru had not been received at the time o writing.
Roy Tobin, threat researcher at Webroot, said: “Sadly this is common practice in the industry. Customers aren’t informed that this type of software is installed, leaving many users wondering how they have an infection on their brand new laptop when an anti-virus program picks it up.
“Some manufacturers give the option of not having these installed, however, you have to know about such software before you can opt out. Whatever the decision around how ethical it is to do this, the increased awareness will at least give consumers the knowledge they need to opt out or un-install such programs. Hopefully this story will be a wake-up call for consumers. Whether its unwanted adware from the manufacture or hackers using malicious apps, they need to take precautions to know who is watching them on their own device.”
Chris Boyd, malware intelligence analyst at Malwarebytes, said: “Preinstalled software is always a concern because there’s often no easy way for a buyer to know what that software is doing – or if removing it will cause system problems further down the line.
“In this particular case, anybody affected should uninstall the Superfish software then type certmgr.msc into their Windows search bar – from there, they can find and remove the related root certificate.”