Lenovo has released an automated tool to remove the Superfish tool and is working with security firms to quarantine the certificate quarantined.
According to a statement, Lenovo has tasked Intel Security (formerly McAfee) and Symantec to remove the rogue software, which was accused of stealing web traffic using fake, self-signed, root certificates to inject advertisements into sessions, and monitoring user activity with man-in-the-middle attack techniques to crack secure connections.
Lenovo said that it ordered Superfish preloads to stop and had server connections shut down in January based on user complaints about the experience, but the stories about its actions were unknown until reports came out last Thursday. “Now we are focused on fixing it,” it said.
“Since that time we have moved as swiftly and decisively as we can based on what we now know. We apologise for causing these concerns among our users – we are learning from this experience and will use it to improve what we do and how we do it in the future. We will continue to take steps to make removal of the software and underlying vulnerable certificates in question easy for customers so they can continue to use our products with the confidence that they expect and deserve.”
Lenovo further based Superfish technology as being “purely based on contextual/image and not behavioural”.
In an email sent to IT Security Guru, Superfish CEO Adi Pinhas said that it has been working with Lenovo and Microsoft to create an industry patch to resolve the threat after only learning about the threat on Thursday.
He claimed that there has been “significant misinformation” circulating about Superfish software that was pre-installed on certain Lenovo laptops. The software shipped on a limited number of computers in 2014 in an effort to enhance the online shopping experience for Lenovo customers and despite the “false and misleading statements made by some media commentators and bloggers”, the Superfish software does not present a security risk.
He said: “In no way does Superfish store personal data or share such data with anyone. Unfortunately, in this situation a vulnerability was introduced unintentionally by a third party. Both Lenovo and Superfish did extensive testing of the solution but this issue wasn’t identified before some laptops shipped.
“Fortunately, our partnership with Lenovo was limited in scale. We were able to address the issue quickly. The software was disabled on the server side (i.e., Superfish’s search engine) in January 2015.
“Superfish takes great pride in the quality of its software, the transparency of its business practices, and its strong relationship with the Superfish user community. Superfish’s visual search technology enables millions of people to explore and learn about the world in an engaging and highly intuitive manner. A positive user experience has been the cornerstone of Superfish’s success.”
According to PC World, a proposed class-action suit was filed late last week against Lenovo and Superfish, which charges both companies with “fraudulent” business practices and of making Lenovo PCs vulnerable to malware and malicious attacks by pre-loading the adware.
Plaintiff Jessica Bennett said her laptop was damaged as a result of Superfish, which was called “spyware” in court documents. She also accused Lenovo and Superfish of invading her privacy and making money by studying her Internet browsing habits.
The lawsuit was filed after Lenovo admitted to pre-loading Superfish on some consumer PCs. The laptops affected by Superfish include non-ThinkPad models such as G Series, U Series, Y Series, Z Series, S Series, Flex, Miix, Yoga and E Series.
