Ars Technica reports the Chinese multinational is selling computers with pre-installed adware that hijacks encrypted web sessions and leaves users vulnerable to HTTPS man-in-the-middle attacks—in which an attacker to have the ability to both monitor and alter or inject messages into a communication channel—that are easy for attackers to carry out.
Made by a company called Superfish, the adware is essentially an Internet browser add-on that inserts advertisements on websites visited by users. The ads pop up when users hover over certain images on a website. This has been reported by users of Microsoft Internet Explorer and Google Chrome.
The add-on is a serious threat that takes up computer space and, more importantly, undermines important security protocols.
Lenovo identified 43 of its models that were affected by the malware, including some of its Flex, E-, G-, S-, U-, Y- and Z-series laptops and several Miix and Yoga tablets.
“This is exactly what bad guys do with trojans and other malicious software to trick users to access fake sites to surveil/monitor private communications,” Kevin Bocek, an executive at cybersecurity company Venafi, told CNN Money.
Lenovo faced tough questions about why and for how long it had installed the malware on its computers, and what data was collected.
“Superfish was previously included on some consumer notebook products shipped in a short window between September and December to help customers potentially discover interesting products while shopping,” Lenovo said in a statement. “However, user feedback was not positive, and we responded quickly and decisively.”
The company said it has taken the following three steps:
-Superfish has completely disabled server side interactions (since January) on all Lenovo products so that the product is no longer active. This disables Superfish for all products in market.
-Lenovo stopped preloading the software in January.
-We will not preload this software in the future.
The San Francisco-based digital rights group Electronic Frontier Foundation (EFF) has published instructions on how owners of Lenovo computers can remove Superfish.
