Lenovo Accused of Installing Adware on New PCs

Lenovo, the world’s biggest maker of PCs, has been installing adware on its PCs in order to deliver custom ads. Lenovo says the software is not malicious, but the software could easily be used to spy on users and hack PCs. So the PC maker has stopped shipping it on new PCs and has asked its maker to update it to address any issues.

Here’s what’s happening.

Lenovo has been installing software called Superfish—made by a company of the same name—on the PCs it sells to consumers (but not businesses). The customer can actually opt out of Superfish during the initial PC set up, though of course many do not. According to Lenovo, Superfish is a “visual search” enhancement, but what it really does is inject third-party advertisements into Google search results and other web sites.

And it does so even over the encrypted connections that Google uses. This means that Superfish acts like malware—is in fact malware—and uses a so-called man-in-the-middle attack by providing a self-signed security certificate to fool remote web sites into decrypting their data. In other words, this software could easily be used to snoop on the users who buy Lenovo PCs. And the fear is that this is already happening.

Lenovo says it is doing nothing of the kind and that Superfish is used only for customized advertising. In other words, the company is claiming that Superfish is simply adware and not malware. This distinction seems somewhat subtle to me, and a better question is why on earth the world’s biggest PC maker would ship this kind of garbage on its machines: Superfish is doing nothing less than injecting itself into the certificate chain of trust on its customers PCs and it is using malicious software to do so, regardless of its intentions.

Worse, it doesn’t matter what Lenovo intends: Any hacker could use the Superfish private certificate key—which is common to all PCs that have this software installed—to intercept supposedly encrypted traffic from a PC in a public Wi-Fi hotspot and hack that PC and, potentially, private personal data.

Lenovo says it is taking steps to correct this problem.

“We have temporarily removed Superfish from our consumer systems until such time as Superfish is able to provide a software build that addresses these issues,” a Lenovo statement notes. “As for units already in market, we have requested that Superfish auto-update a fix that addresses these issues.”

That is not a solution. Lenovo should remove Superfish from existing PCs and stop bundling this crap on new PCs. Period.

Regardless of Lenovo’s statements and subsequent actions, I had been warned earlier this year that 2015 would see an escalation of PC “crapware” that would include pop-ups and other forms of overt advertising. This comes during a year in which Microsoft CEO Satya Nadella says he wants users to “love” Windows, something that will never happen as long as PC makers are subverting the experience like this. Not coincidentally, these events have inspired me to write a series of Clean PC articles on Thurrott.com.

Lenovo has been shipping Superfish on its consumer PCs for two years, so there are potentially over 100 million infected PCs out there right now. Is there good news? Not really: While Superfish is identified as malware by most popular anti-virus and anti-malware solutions, removing the software from your system doesn’t actually remove the rogue certificate. So the only real way to rid your PC of this mess is to install a clean version of Windows. Fortunately, I can help you with that. Or, as a workaround, you could simply use the Firefox web browser, which maintains its own certificate store. Hopefully, Lenovo will issue a patch quickly.