14 DAY TRIAL // Lenovo CEO Peter Hortensius does not tweet much. Since he joined Twitter in October 2014 he published only 33 messages, 21 of them being re-tweets from others.
So it is safe to assume that when Hortensius uses the microblogging platform he’s got something important to communicate, and the last three entries in his tweet feed are definitely worth reading by owners of Lenovo consumer netbooks, especially if they use products running the factory image of Windows operating system.
Superfish products have been labeled as PUPs before
On Wednesday, Google security researcher Chris Palmer discovered that some Lenovo laptops came with the browser add-on Superfish installed, which added a root certificate to Windows certificate store and re-signed all certificates of HTTPS websites.
Briefly put, it acted as a proxy between the client and the secure website and was able to intercept the encrypted communication and decode it. The purpose of the browser component was to inject ads into the websites accessed by the user.
Although this is not malicious in nature, when performed by a legitimate party, Superfish’s implementation did present major risks because not only was the same root certificate used on all machines but the private key encrypting it was available locally and could be extracted with little effort, as it was demonstrated by security researcher Robert Graham.
At least one product from Superfish has been labeled as adware (check Window Shopper) a long time ago and received plenty of complaints from users asking for a way to remove it from their computers. Needless to say that tutorials helping with this issue could be found before with the utmost ease.
More thorough verification could have saved the company some trouble
However, Lenovo struck a deal to have one of them bundled in the operating system provided on some of their laptops for consumers. The company did not make this mistake with ThinkPads, tablets, desktops or smartphones, or any enterprise server or storage device.
The company even listened to its customers when they complained about Superfish; starting January, it no longer offered devices pre-loaded with the unwanted software, which began being sold in September 2014, and it also terminated the server connections that enabled the ad-injection.
Despite the quick response from Lenovo, Superfish should not have made it onto their hardware to begin with. The simple fact that the application had already been labeled by a slew of other users as undesirable should have been sufficient for Lenovo to think twice.
This should at least have triggered better checking of the product to learn how it carried out its tasks, and even if its behavior was deemed harmless due to the fact that Superfish did not collect user data, the simple matter that the root certificate was stored locally should have been a reason for further investigation.
Some may point out that security experts failed to notice the risky practice too, but this does not exonerate Lenovo of the blame. Superfish is also responsible for the entire blunder because they relied on a third-party component (SSL Digestor from Komodia) to add the functionality for intercepting secure traffic.
Company's response was swift
In Lenovo’s defense, as soon as the security problem was fully grasped, the company initiated action to solve it immediately. In the end, the company admitted that it “messed up” and delivered a solution to fully uninstall Superfish.
This meant removing not only the program but also the root certificate it injected in the certificate stores of Windows (which affected Internet Explorer and Google Chrome) and Mozilla, which was used for Firefox web browser and Thunderbird email client.
Since the instructions demanded user interaction to mitigate the risk, Lenovo was aware that the issue would persist on many computers in lack of an automatic variant.
As such, it worked “with McAfee and Microsoft to have the Superfish software and certificate quarantined or removed.” The result was a tool from Lenovo that achieves exactly this.
Moreover, Microsoft also issued a signature for Windows Defender and Security Essentials, the free antivirus solutions on Windows Vista through 8.1, that accomplished the same task.
Superfish software is not the only one to rely on the SSl Digestor from Komodia. Keep My Family Secure, Qustodio and Kurupira WebFilter are only three other examples, and in all cases the password for the RSA key protecting the certificate is the same one as for the software installed on Lenovo laptops.