What's worse is that the private key is embedded in the software, so anybody with some technical skill can extract the key and sign any number of certs that would be trusted blindly by any computer compromised.
Great job Lenovo, I really hope there are repercussions for doing stuff like this.
This is why I always, always do a fresh install on any laptop I buy. I always figured less bloatware was good enough reason to do a fresh install, now I can add spyware to that list.
It's a pretty big breach of trust on Lenovo's part, and a gaping security hole. I can't say I'm shocked given the sketchy nature of a lot of Made In China tech products. Lenovo is supposed to be a reputable brand though.
As one comment on Ars put it
"The relationship with Superfish is not financially significant,"
Translation: We were willing to throw our customers under a bus for very little money.
The best advice is definitely to remove Superfish immediately. Rob Graham cracked the password for their cert yesterday (read about it here http://blog.erratasec.com/2015/02/extracting-superfish-certificate.html), and has subsequently shown how you can stand up a webserver to perform a MitM attack against clients that trust the Superfish certs. The example he used was to install a default instance of Apache that was claiming to be bankofamerica.com, and (obviously) the browser trusts the cert from superfish that's presented.
This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.