Throughout the last few days, the software program Superfish has found itself sharing headlines with the pre-build computer giant Lenovo. While some may say that no press is bad press, I would argue that neither company would like to be called out for distributing adware to unwitting customers. And most likely, if you’ve browsed even a single headline from any online-based news organization that may or may not even pay any attention to tech, you’ve at least heard that Superfish, Lenovo, and adware are somehow related.
Well first of all, I’m here to tell you that while this is potentially a major security concern, especially if you bought a Lenovo sometime in the last two years, the fact that you’ve come to this article means that there is relief in sight. If you don’t have a Lenovo, don’t worry about it, but still read the first two sections. If you’re thinking about buying a Lenovo and are now second-guessing your decision, stop it.
- Lenovo makes wonderful computers. In fact, I’d argue they make some of the best computers in the business.
- Lenovo doesn’t include this software on their computers anymore. If you go shopping at a Best Buy or Amazon today and look at Lenovo laptops, most likely you will not find Superfish on their computers. Don’t worry about it. That said, I would still recommend you look at the first two sections.
What’s the Deal With Superfish?
Superfish is a name of a software company and a suite of visual search optimization software. If you go to their website, they mention that their software makes “visual search” a reality by taking images you take of things in the real world, matching them with products or images found online, and showing you product information or sales information or other things like that. There’s even a vague reference about being able to type a description of something into their search algorithm and it will find what you’re looking for through image searches and web information. Their mission statement is super vague, and even the promises of their software are dubious at best.
Based on my research outside the official company information, it looks like the program in question is a web browser plugin that sits in the background, looks at things that you’re looking at or searching for, and delivers advertisements about related products and sales. Essentially, it’s just an annoying web browser plugin that gives you targeted ads. Annoying, but essentially harmless.
The problem though, is in how it gets the information to target you with. With many secure websites like banks or online shopping sites, when a program or plugin attempts to look at the information that you’re inputting, like a credit card number, an item that you’re putting in your cart, or a bank password, the website requires the program to have a security pass called an SSL certificate that guarantees that the connection is secure and that the user is not at risk. Getting these certificates is normally a very tricky thing for a 3rd party program that you install, but when you’re the OEM who’s installing Windows on the computer for the user, you can certainly decide who gets what.
On Thursday, Kenn White posted an image on Twitter showing that the Superfish program that had been installed on many Lenovo computers over the last couple of years, had the ability to create its own SSL certificates and therefore access literally any information in your web browsing, even if the website is secured with SSL. The software company has sense tried to clarify the position by assuring us that they don’t use or sell this data to anyone, but instead just use it within their algorithms to deliver targeted ads. But that’s not the problem. The problem is that when a single program has the ability to create its own certificates, that creates a loop hole in which other malicious spyware, adware, or viruses can hijack Superfish and access secure web traffic like bank passwords, credit card numbers, etc.
The good news is that Lenovo has ceased including the software on their computers since the Fall of 2014 and shut down the servers that distributed the software in January of 2015. The bad news is that if you bought a Lenovo from 2012 to Summer of 2014, then you have this glaring security loophole that’s only become more and more public. But thankfully, there’s a way to do something about it. Wondering if you’re effected? Here’s the list of potentially affected models according to Lenovo:
Superfish may have appeared on these models:
G Series: G410, G510, G710, G40-70, G50-70, G40-30, G50-30, G40-45, G50-45
U Series: U330P, U430P, U330Touch, U430Touch, U530Touch
Y Series: Y430P, Y40-70, Y50-70
Z Series: Z40-75, Z50-75, Z40-70, Z50-70
S Series: S310, S410, S40-70, S415, S415Touch, S20-30, S20-30Touch
Flex Series: Flex2 14D, Flex2 15D, Flex2 14, Flex2 15, Flex2 14(BTM), Flex2 15(BTM), Flex 10
MIIX Series: MIIX2-8, MIIX2-10, MIIX2-11
YOGA Series: YOGA2Pro-13, YOGA2-13, YOGA2-11BTM, YOGA2-11HSW
E Series: E10-30
If you’re still not sure, go to this website. If you see a message saying you’re safe, then you’re good to go. Otherwise, Last Pass’ website will give you a notification saying you need to remove it.
Using Microsoft’s Windows Defender? You’re Mostly Good to Go
If you’re smart enough to have removed Lenovo’s pre-loaded Anti-virus trial and either installed Microsoft Security Essentials on a Windows 7 install or let Windows 8’s built in Windows Defender software run, then you’re probably fine.
Yesterday, Microsoft published a definition update to Windows Defender that automatically removes Superfish and any harmful SSL certificates it created for itself. Woo hoo!
According to Peter Bright via Ars Technica, this does not appear to fix any compromised installs of Firefox or Thunderbird, so you may want to check for the Snapfish certificate manually. Not sure how to do that?
- Open Firefox
- Click the Hamburger menu in the top right
- Click Options
- Click the Advanced tap along the top
- Click the Certificates tab in the middle of the screen
- Click on View certificates
- Look for an entry called “Snapfish” – If you find one, click on the “Delete or Distrust” option
Update: It appears that other security programs such as McAfee also include definitions to remove the software, but none of them as yet remove the harmful Firefox certificates. If your A/V program says it removed the software, and you use Firefox, it’s best to check that the Firefox certificates are removed.
Use the Lenovo Removal Tool
When this news broke into national headlines yesterday, Lenovo initially published manual removal instructions onto its support site. However, the people that are most likely to be effected by this will probably be unwilling to delve into sensitive software components to fix this. Thankfully, Lenovo released an automated tool this morning that will remove all Superfish traces and all harmful certificates for “all major browsers.”
Since their manual removal instructions specifically mention Firefox and Internet Explorer, which are the two affected browsers, I would assume that “all major browsers” includes those two. I have not tested the tool myself, but it appears that it does work to remove all traces of Superfish, so this will probably be the easiest way to ensure that that everything is removed.
On a side note, Lenovo has mentioned that they are working with Microsoft, McAfee, and other Security providers on creating complete definition updates and removal tools that will automatically delete the program. As a result, even if you’re not reading this article, as long as you have something that protects you against viruses and spyware, this will probably not be an issue for you for long.