Superfish Drama Winds Down, But the Damage is Done

Last week was a moment of reckoning for the world’s biggest PC maker as Lenovo was thrust awkwardly into the spotlight for preinstalling malware on its consumer PCs. Lenovo belatedly did the right thing, but not before it tried to defend the indefensible and argue that the Superfish malware it was bundling on PCs was somehow aimed at helping its customers.

What stands out most about the Superfish drama isn’t so much the technology—no customers were actually hacked, despite all the excitement—but rather Lenovo’s ham-handed response.

“Superfish was previously included on some consumer notebook products shipped between September 2014 and February 2015 to assist customers with discovering products similar to what they are viewing,” a Lenovo statement notes. “However, user feedback was not positive, and we responded quickly and decisively.”

Actually, Lenovo did not act quickly or decisively.

The firm had been fielding complaints about Superfish since September 2014, and only responded when the malware bundling was reported in mainstream news outlets more recently thanks to a blog post by security researcher Marc Rogers. And its responses were like the seven stages of grief played out in real time, with Lenovo in turn denying that anything was wrong, insisting that it had added this code to PCs to benefit consumers, blaming the makers of the software, asking for Superfish to be modified to be less exploitive, and then finally agreeing to remove Superfish from existing PCs and never install it again on new PCs.

“Superfish has completely disabled server side interactions on all Lenovo products so that the software product is no longer active, effectively disabling Superfish for all products in the market,” Lenovo explains. “Lenovo ordered the pre-load removal in January [and] we will not preload this software in the future.”

Like any well-made malware, Superfish is very hard to remove. Yes, you can uninstall the software, but that doesn’t remove the bogus self-signed root certificate in the local trusted Certificate Authority store. So Lenovo provides complete instructions for removing this malware, and of course various anti-malware and AV software packages—including Microsoft’s Defender—were quickly updated last week to address Superfish. So some companies, at least, were moving quickly and decisively to protect consumers.

And Superfish really does impact a wide range of PCs, including the Lenovo-branded E10-30, Flex2 14, Flex2 15, Flex2 14D, Flex2 15D, Flex2 14 (BTM), Flex2 15 (BTM), Flex 10, G410, G510, G40-70, G40-30, G40-45, G50-70, G50-30, G50-45, Miix2-8, Miix2-10, Miix2-11, S310, S410, S415, S415 Touch, S20-30, S20-30 Touch, S40-70, U330P, U430P, U330Touch, U430Touch, U540Touch, Y430P, Y40-70, Y50-70, Yoga2-11BTM, Yoga2-11HSW, Yoga2-13, Yoga2Pro-13, Z40-70, Z40-75, Z50-70 and Z50-75.

HP took to Twitter to lampoon Lenovo’s problems, noting that “[sushi is] the only thing you should have to think of when someone says Superfish.” This rather mean-spirited stab at the company that displaced it as the world’s biggest maker of PCs would be funny in isolation. But HP is as guilty as Lenovo in bundling terrible and pointless crapware on its own PCs and devices.


HP also issued a public opinion piece of its own about Superfish, noting that its own crapware bundling was at least not dangerous. “HP, like virtually every other major manufacturer on consumer laptops, does pre-install software to enhance customer experience, but there is a key difference between most preinstalled software and Superfish,” HP explains. “Superfish exposes customers to security vulnerabilities, is not easily removable, and hides its code from everyday users.”

Not surprisingly, Lenovo and Superfish now face a potential class-action lawsuit for their “fraudulent” business practices and for shipping PCs that are vulnerable to electronic attack. The plaintiffs are seeking unspecified damages from both companies as part of a lawsuit filed in the US District Court in California’s Southern district.

That lawsuit may be the least of Lenovo’s problems. By showing such a callous disregard for the well-being of its customers, the PC maker may have irreparably harmed its reputation with consumers, who may now shun the brand in favor of other manufacturers. It may take months or even years to calculate the damage to Lenovo’s brand and bottom line.

But to be fair, Lenovo isn’t the only technology company injecting “man-in-the-middle” malware into our computing experiences. In-flight Internet service Gogo was caught doing the same last month, and security researchers have more recently discovered similar tomfoolery: Lavasoft Ad-aware uses Komodia SSL-interception technology that is very similar to Superfish, as does the standalone version of Comodo PrivDog. Irony alert: Both of these products are supposed to protect your PC from malware.