PhotoSecurity researchers discovered this week that Lenovo computers come pre-installed with a particularly nasty form of adware that hijacked users' web connections to make them very easy to spy upon and extremely vulnerable to “man in the middle” attacks (although, as of Thursday afternoon, Lenovo says that henceforth it will stop pre-loading the adware on forthcoming machines).

Any Lenovo computer installed with a program called Superfish is as risk — and uninstalling Superfish won't make the problem go away. Superfish supposedly offers users a “visual search” experience, although what it actually does is insert third-party ads into websites and Google search results (hence its “adware” designation).

As annoying as those third-party ads are to users, they're not the main problem. The real issue with Superfish is that it intercepts all encrypted communications, enabling it to see things it's not supposed to. Worse still is how Superfish does this. As Robert Graham from Errata Security explained:

SuperFish installs its own root CA certificate [and] then generates certificates on the fly for each attempted SSL connection. Thus, when you have a Lenovo computer, it appears as SuperFish is the root CA of all the websites you visit. This allows SuperFish to intercept an encrypted SSL connection, decrypt it, then re-encrypt it again.

And it still gets worse: Superfish uses the same fake security certificate every time, on every Lenovo machine, and even if you remove Superfish from your computer, the flawed fake security certificate remains.

What to do

How can you tell if your Lenovo computer is infected with Superfish or not? Filippo and LastPass have both released online “tests” which will tell you whether your Lenovo is infected or not.

In a worst-case scenario – you discover your machine is infected, but you can't afford to replace it right now – you should at least avoid using that machine for any secure online activities, such as online banking or even checking your emails. Basically, avoid doing anything password-protected with your computer, since you can't get rid of those fake security certificates.


Share your Comments