Chinese computer manufacturer Lenovo Group Ltd was caught the Superfish adware on Lenovo brand personal computers, causing class action lawyers to claim consumer fraud and invasion of privacy lawsuits. The laptops affected by Superfish include non-ThinkPad models such as G Series, U Series, Y Series, Z Series, S Series, Flex, Miix, Yoga and E Series. Lenovo installed adware using a “man-in-the-middle” attack to break secure connections to access sensitive data and inject advertising. This included a very weak certificate into the system which compromises any secure connection to virtually any website.
The Superfish software Lenovo pre-loaded tracks user behavior and makes product recommendations. The software has major security holes which subject Lenovo customers to malicious attacks which can access login information, credit card information and other private customer data. Lenovo began installing spyware/adware in September 2014 and continued through January 2015. Security researcher Marc Rogers of CloudFlare, called out the Komodia-made proxy for not properly implementing SSL (secure socket layer) — the Web’s encryption standard — leaving PCs with the software open to tampering or eavesdropping, even if the certificate hadn’t been junk. Software with this vulnerability goes beyond Lenovo computers and the class action lawsuits currently filed.
Is my Lenovo computer model affected? Here is the list published by Lenovo advising on its error the products affected on the Lenova website:
This advisory only applies to Lenovo Notebook products.
(ThinkPad, ThinkCentre, Lenovo Desktop, ThinkStation, ThinkServer and System x products are not impacted.)
SuperFish was previously included on some consumer notebook products shipped between September 2014 and February 2015 to assist customers with discovering products similar to what they are viewing. However, user feedback was not positive, and we responded quickly and decisively:
- SuperFish has completely disabled server side interactions (since January) on all Lenovo products so that the software product is no longer active, effectively disabling SuperFish for all products in the market.
- Lenovo ordered the pre-load removal in January.
- We will not preload this software in the future.
Published reports have recently identified vulnerabilities in the software, which include installation of a self-signed root certificate in the local trusted CA store.
Flex-Series: Flex2 14, Flex2 15, Flex2 14D, Flex2 15D, Flex2 Pro, Flex 10G-Series : G410, G510, G710, G40-30, G40-45, G40-70, G40-80, G50-50, G50-45, G50-70, G50-80, G50-80TouchMiix-Series: Miix2 – 8, Miix2 – 10, Miix2 – 11, Miix 3 – 1030S-Series: S310, S410, S415, S415 Touch, S435, S20-30, S20-30 Touch, S40-70U-Series: U330P, U430P, U330 Touch, U430 Touch, U540 TouchY-Series: Y430P, Y40-70, Y40-80, Y50-70, Y70-70Yoga-Series: Yoga2-11, Yoga2-13, Yoga2Pro-13, Yoga3 Pro
Z-Series: Z40-70, Z40-75, Z50-70, Z50-75, Z70-8
Here are two more software makers have been caught adding dangerous, Superfish-style spyware to applications. AV company Lavasoft and Comodo, a company that issues roughly one-third of the Internet’s Transport Layer Security certificates, making it the world’s biggest certificate authority.