Software provider Superfish has said it stands by claims made by Lenovo, that there is nothing malicious about its product.
In a statement to sent IT Security Guru, Superfish CEO Adi Pinhas said that the company is standing by the comments made by Lenovo, and confirmed that Superfish has not been active on Lenovo laptops since December.
He said: “It is important to note [that] Superfish is completely transparent in what our software does and at no time were consumers vulnerable – we stand by this today. Lenovo will be releasing a statement later today with all of the specifics that clarify that there has been no wrong doing on our end.”
The statement from Lenovo claimed that it pre-installed the third-party software Superfish “in our effort to enhance our user experience” and said it is working directly with Superfish and with other industry partners to ensure we address any possible security issues now and in the future.
“Superfish technology is purely based on contextual/image and not behavioural,” Lenovo said. “It does not profile nor monitor user behaviour. It does not record user information. It does not know who the user is. Users are not tracked nor re-targeted. Every session is independent. Users are given a choice whether or not to use the product.”
However this is still being contested by industry researchers. Marc Rogers, security researcher at Cloudflare, said on Twitter that “it blows my mind that Lenovo are trying to pass the threat from these certificates off as ‘theoretical’ or otherwise diminish the risk”, while blogger Robert Graham said “Lenovo’s statement is a bald face lie. If this program were so great, users would be able to download it themselves”.
Adam Winn, manager at OPSWAT, said that it was “shocking” that Lenovo would preinstall software that breaks the SSL trust chain in such a fundamental way, and that with a dedicated following of IT professionals, as evidenced by the ubiquity of Thinkpads in enterprise, there’s no doubt that this incident will come with a heavy hit to Lenovo’s bottom line. He said: “No IT administrator will tolerate a MITM attack on company owned or even BYOD assets.”
TK Keanini, CTO of Lancope, said: “I’m happy to see consumers pushing back and demanding greater security out of the box. Unless the market steps up and ask for more secure systems, vendors will keep doing silly and sometimes irresponsible things.
“I remember purchasing a laptop for my daughter a few years back and the retailer wanted me to pay extra to remove all the adware and ‘extra’s from the unit. This is not right. Pay extra so that I can get rid of all the advertising software and programs that slow my experience down? It is like buying a car and paying extra to remove the ads painted on the
