PC manufacturer Lenovo sold out its customers in the fourth quarter of 2014. Bloatware is hardly a new phenomenon (and is universally despised) as it allows manufacturers to increase their profit margins by cutting deals to preload their computers with specified software, toolbars, and trials. Antivirus trials are common and get in the way while decreasing the customer’s actual security. This pre-loaded software is commonly known as bloatware and even has tools built to deal with their quick removal.
In this instance with Superfish, Lenovo went too far. It not only installed adware on brand new computers for the company’s own gain but it also compromised the security of those consumer-line computers. Superfish uses a man-in-the-middle attack to intercept and decrypt normally encrypted SSL traffic (websites with https). This allowed it to insert advertisements into the websites you visited and track your traffic.
Lenovo first posted to their support forums that there was no credible security thread but has since posted a High severity security advisory.
From the Lenovo Security Advisory (LEN-2015-010) on Superfish:
Superfish was previously included on some consumer notebook products shipped between September 2014 and February 2015 to assist customers with discovering products similar to what they are viewing. However, user feedback was not positive, and we responded quickly and decisively:
Superfish has completely disabled server side interactions (since January) on all Lenovo products so that the software product is no longer active, effectively disabling Superfish for all products in the market.
Lenovo ordered the pre-load removal in January.
We will not preload this software in the future.Vulnerabilities have been identified with the software, which include installation of a self-signed root certificate in the local trusted CA store. The application can be uninstalled; however, the current uninstaller does not remove the Superfish root certificate.
The Security Advisory lists the affected products
If you are using a recent Lenovo computer, or any computer really, you can test to see if you are infected with Superfish by using two different testing sites:
- LastPass
- Filippo
These sites will indicate if your computer still has the Superfish CA loaded.
If Superfish is detected on your computer, you will want to uninstall it. Microsoft updated Microsoft Security Essentials/Windows Defender to remove Superfish but it does not remove the MitM certificate.
You can follow the instructions below to remove Superfish from your computer (Lenovo has their own instructions):
Step 1: Uninstall Superfish
From the Control Panel, Programs and Features find Superfish Inc. VisualDiscovery. Select it and choose to uninstall the program. You may have to enter your administrator password if prompted.
Step 2: Remove the certificate
From the Start Menu or Start Screen search fro certmgr.msc. Right-click it and choose ‘Run as administrator’.
Drill down to Trusted Root Certification Authorities, Certificates. From the right-pane, scroll down until you find Superfish, Inc. Right-click it and choose Delete. At the warning prompt, confirm ‘Yes’ that you wish to delete this root certificate.
Step 3: Remove the certificate from Firefox or Thunderbird
If you use Mozilla products like Firefox or Thunderbird, you will want to verify the certificate is not in its Certificate Manager as well.
Go to Options from the Settings menu or Preferences. On the Advanced tab and Certificates sub-tab, click the ‘View Certificates’ button. Scroll through the list looking for Superfish and if you find it select it and hit the ‘Delete or Distrust…’ button.
Step 4: Restart
Restart your browsers or even the whole computer.
Step 5: Check again
Head over to one of the Superfish test pages (linked above) and see if your computer is now coming up clean. You might check in all the different browsers you use, just to verify.
Lenovo also has a SuperFish Removal Utility available for download. If you’re having a hard time trusting them, they posted the source code to GitHub. Of course, you can also just follow the steps above.