cancel
Showing results for 
Search instead for 
Did you mean: 
catdaddy
Level 20

Anyone read the latest on the Lenovo 'Crapware' Debacle?

I felt this to be noteworthy, as this has been an ongoing problem with Computer manufacturers for ages. You might notice also that Lenova wishes to address this Vulnerability/Issue with the assistance from Microsoft/and McAfee included.

If you look to the right of the enclosed article,you will see that since the writing of this, Microsoft has stepped in, and provided assistance by adding it to their database., to be detected and removed.

Security experts call for halt to PC 'crapware' after Lenovo debacle | Computerworld

Microsoft helps Lenovo, deletes Superfish 'crapware' and rogue cert | Computerworld

Regards,

Catdaddy

McAfee Community Moderator

Consumer Products

Cliff
McAfee Volunteer
9 Replies
exbrit
Level 21

Re: Anyone read the latest on the Lenovo 'Crapware' Debacle?

Not surprised by that.

0 Kudos
Hayton
Level 17

Re: Re: Anyone read the latest on the Lenovo 'Crapware' Debacle?

Latest - Lenovo release update to earlier statement

http://news.lenovo.com/article_display.cfm?article_id=1931


  1. In addition to the manual removal instructions currently available online, we have released an automated tool to help users remove the software and certificate.  That tool is here: http://support.lenovo.com/us/en/product_security/superfish_uninstall

  2. We are working with McAfee and Microsoft to have the Superfish software and certificate quarantined or removed using their industry-leading tools and technologies. These actions have already started and will automatically fix the vulnerability even for users who are not currently aware of the problem.

The big issue is the self-signed certificate rather than the adware. That should not have been allowed since it not only allows for MITM attacks but also gives Superfish the means to intercept supposedly secure encrypted information and pass it to a third party.

Almost all the PUP adware I've looked at lately is coming from a network of Israeli companies based in Tel Aviv. They're all profiting immensely from their adware products to judge from their share price performance, but no-one seems concerned about the privacy or security implications of allowing these companies to gather so much personal information from their installed products. Someone ought to do a background study to investigate these companies and compare their privacy policies.

0 Kudos
catdaddy
Level 20

Re: Anyone read the latest on the Lenovo 'Crapware' Debacle?

I am inclined to fully agree to your last statement. Thanks for the additional input..

Hopefully now this has been brought to the Forefront, investigations will indeed follow.

Cliff
McAfee Volunteer
0 Kudos
catdaddy
Level 20

Re: Anyone read the latest on the Lenovo 'Crapware' Debacle?

Actually after revisiting my post, I should have said I agree with all your statements. Especially in regards to the self-signed certificate with the capability of intercepting supposedly secure encrypted content. Definitely should be looked into.....

Cliff
McAfee Volunteer
0 Kudos
cohbraz
Level 9

Re: Anyone read the latest on the Lenovo 'Crapware' Debacle?

Anytime I have purchased a computer, I have always uninstalled most of the crapware that comes bundles with it. Not only is most of the software useless, it slows the computer down tremendously!

0 Kudos
Hayton
Level 17

Re: Anyone read the latest on the Lenovo 'Crapware' Debacle?

This just gets worse. So Lenovo did a deal with Superfish, understandable for both parties. Lenovo get paid, Superfish gets an installed user base and somehow makes lots of money from the unsuspecting suckers who get their PCs contaminated with the company's odious adware. Obnoxious, but end of story (except for all the kickback from outraged users, security experts, bloggers and journos ... oh, and at least one lawsuit headed Lenovo's way which I hope stings them for a huge amount). End of story, right?

Wrong. Beginning of story.

Superfish, it turns out, was using software from an Israeli company called Komodia, which was written specifically to intercept secure communications. Surprisingly, both SiteAdvisor and WOT rate the company website as Green, although WOT is starting to gather unfavourable reviews. Presumably the company was so low-profile as to be practically anonymous ... but not any more.

http://www.bbc.co.uk/news/technology-31586610       (see final section for komodia)

SSL-busting code that threatened Lenovo users found in a dozen more apps | Ars Technica

“SSL hijacker” behind Superfish debacle imperils large number of users | Ars Technica

Lots of other PCs have Superfish risk - Business Insider

komodia Google entries.PNG

You won't be able to access the company's website right now - and probably not for a while - as it appears to have been knocked offline by a continuing DDoS attack.

Komodia offline.PNG

There are a couple of test sites which will alert you if Superfish, or any other program that intercepts SSL communications, is present on your system. Try this one, but you'll need to run it in all browsers that you've got installed -

Superfish, Komodia, PrivDog vulnerability test

One thing isn't too clear in all of this. After all the recent fuss about SSL-fallback, and the deprecation of SSL 3.0 in favour of TLS 1.2 - it's likely that SSL 3 will be little used within a very short time - how serious is this latest threat? My own estimate is that it was already a declining threat; the big question is whether this Israeli company (or one of its rivals) already has interception software in place for secure TLS communications. Now, that would be serious.

Hayton
Level 17

Re: Anyone read the latest on the Lenovo 'Crapware' Debacle?

Update - latest

US-CERT have issued an alert about Superfish -

Lenovo Superfish Adware Vulnerable to HTTPS Spoofing | US-CERT

They have also released a Vulnerability Note which gives details of the Komodia Redirector  'interception engine' and SSL Digestor module. This Vulnerability Note gives details of other affected products by third parties, including by Lavasoft (Ad-Aware) and WebSecure.

Vulnerability Note VU#529496 - Komodia Redirector with SSL Digestor fails to properly validate SSL a...

Lavasoft Information for VU#529496

Websecure Ltd Information for VU#529496

catdaddy
Level 20

Re: Anyone read the latest on the Lenovo 'Crapware' Debacle?

Well spotted Mate

Cliff
McAfee Volunteer
0 Kudos
Hayton
Level 17

Re: Anyone read the latest on the Lenovo 'Crapware' Debacle?

This is old news ...

0 Kudos