Yesterday the tech world exploded with the news that for the past couple of years, Lenovo had been pre-installing a particularly nasty form of malware on its computers: “SuperFish,” a form of adware that not only caused third-party ads to pop up on websites and web searches, but intercepted all encrypted communications and installed its own root certificates to intercept, decrypt and re-encrypt all SSL communications.
Even worse, initial reports said that even removing SuperFish would not fix the certificate problem. And Lenovo's response added insult to injury: on Thursday, even as news spread that SuperFish put all encrypted communications at risk the company initially said, “We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns.”
That did not go over well. Wired magazine, for example, noted that “Lenovo's response to its dangerous adware is astonishingly clueless” whereas TechDirt more bluntly called it a “blatantly bullshit statement.”
But that was yesterday. Today, Lenovo's focus has been on damage control. The company has released what it says is a full list of all makes and models of machines which might have SuperFish installed:
Flex-Series: Flex2 14, Flex2 15, Flex2 14D, Flex2 15D Flex2 14 (BTM), Flex2 15 (BTM) Flex 10
G-Series: G410, G510, G40-70, G40-30, G40-45, G50-70, G50-30, G50-45
M-Series: Miix2 – 8, Miix2 – 10, Miix2 – 11,
S-Series: S310, S410, S415; S415 Touch, S20-30, S20-30 Touch, S40-70
U-Series: U330P, U430P, U330Touch, U430Touch, U540Touch
Y-Series: Y430P, Y40-70, Y50-70
Yoga-Series: Yoga2-11BTM, Yoga2-11HSW, Yoga2-13, Yoga2Pro-13
Z-Series: Z40-70, Z40-75, Z50-70, Z50-75
What to do
If you have any model of computer, not just Lenovo, you can visit this site to see if your computer is infected with SuperFish.
Lenovo also released a set of step-by-step instructions which it says will tell users how to uninstall SuperFish, and also how to remove the SuperFish certificate from Mozilla products and from Internet Explorer, Chrome, Opera, Safari and Maxthon.
All three webpages had the following message across the top:
By using this website you allow us to place cookies on your computer. They are harmless and never personally identify you.
Hopefully, Lenovo is right about that. Of course, that reassurance comes from the same company that pre-loaded its computers with easily hackable encryption-busting fake-security-certificate malware and then, after this was discovered, claimed it could “not find any evidence to substantiate security concerns.” So take Lenovo's reassurances with however many grains of salt you find appropriate.