I felt this to be noteworthy, as this has been an ongoing problem with Computer manufacturers for ages. You might notice also that Lenova wishes to address this Vulnerability/Issue with the assistance from Microsoft/and McAfee included.
If you look to the right of the enclosed article,you will see that since the writing of this, Microsoft has stepped in, and provided assistance by adding it to their database., to be detected and removed.
Security experts call for halt to PC 'crapware' after Lenovo debacle | Computerworld
Microsoft helps Lenovo, deletes Superfish 'crapware' and rogue cert | Computerworld
Regards,
Catdaddy
McAfee Community Moderator
Consumer Products
Not surprised by that.
Latest - Lenovo release update to earlier statement
http://news.lenovo.com/article_display.cfm?article_id=1931
- In addition to the manual removal instructions currently available online, we have released an automated tool to help users remove the software and certificate. That tool is here: http://support.lenovo.com/us/en/product_security/superfish_uninstall
- We are working with McAfee and Microsoft to have the Superfish software and certificate quarantined or removed using their industry-leading tools and technologies. These actions have already started and will automatically fix the vulnerability even for users who are not currently aware of the problem.
The big issue is the self-signed certificate rather than the adware. That should not have been allowed since it not only allows for MITM attacks but also gives Superfish the means to intercept supposedly secure encrypted information and pass it to a third party.
Almost all the PUP adware I've looked at lately is coming from a network of Israeli companies based in Tel Aviv. They're all profiting immensely from their adware products to judge from their share price performance, but no-one seems concerned about the privacy or security implications of allowing these companies to gather so much personal information from their installed products. Someone ought to do a background study to investigate these companies and compare their privacy policies.
I am inclined to fully agree to your last statement. Thanks for the additional input..
Hopefully now this has been brought to the Forefront, investigations will indeed follow.
Actually after revisiting my post, I should have said I agree with all your statements. Especially in regards to the self-signed certificate with the capability of intercepting supposedly secure encrypted content. Definitely should be looked into.....
Anytime I have purchased a computer, I have always uninstalled most of the crapware that comes bundles with it. Not only is most of the software useless, it slows the computer down tremendously!
This just gets worse. So Lenovo did a deal with Superfish, understandable for both parties. Lenovo get paid, Superfish gets an installed user base and somehow makes lots of money from the unsuspecting suckers who get their PCs contaminated with the company's odious adware. Obnoxious, but end of story (except for all the kickback from outraged users, security experts, bloggers and journos ... oh, and at least one lawsuit headed Lenovo's way which I hope stings them for a huge amount). End of story, right?
Wrong. Beginning of story.
Superfish, it turns out, was using software from an Israeli company called Komodia, which was written specifically to intercept secure communications. Surprisingly, both SiteAdvisor and WOT rate the company website as Green, although WOT is starting to gather unfavourable reviews. Presumably the company was so low-profile as to be practically anonymous ... but not any more.
http://www.bbc.co.uk/news/technology-31586610 (see final section for komodia)
SSL-busting code that threatened Lenovo users found in a dozen more apps | Ars Technica
“SSL hijacker” behind Superfish debacle imperils large number of users | Ars Technica
Lots of other PCs have Superfish risk - Business Insider
You won't be able to access the company's website right now - and probably not for a while - as it appears to have been knocked offline by a continuing DDoS attack.
There are a couple of test sites which will alert you if Superfish, or any other program that intercepts SSL communications, is present on your system. Try this one, but you'll need to run it in all browsers that you've got installed -
Superfish, Komodia, PrivDog vulnerability test
One thing isn't too clear in all of this. After all the recent fuss about SSL-fallback, and the deprecation of SSL 3.0 in favour of TLS 1.2 - it's likely that SSL 3 will be little used within a very short time - how serious is this latest threat? My own estimate is that it was already a declining threat; the big question is whether this Israeli company (or one of its rivals) already has interception software in place for secure TLS communications. Now, that would be serious.
Update - latest
US-CERT have issued an alert about Superfish -
Lenovo Superfish Adware Vulnerable to HTTPS Spoofing | US-CERT
They have also released a Vulnerability Note which gives details of the Komodia Redirector 'interception engine' and SSL Digestor module. This Vulnerability Note gives details of other affected products by third parties, including by Lavasoft (Ad-Aware) and WebSecure.
Well spotted Mate
This is old news ...
Corporate Headquarters
2821 Mission College Blvd.
Santa Clara, CA 95054 USA