Lenovo caught installing adware on new computers

http://thenextweb.com/insider/2015/02/19/lenovo-caught-installing-adware-new-computers/

 

Seems that this is going to be a trend across all electronics in the near future. I read that Samsung is embedding Pepsi ads in their smart-TVs even when a consumer is watching a home movie. A lot of free software comes with ads and we can no doubt expect paid software to follow suit. Computer hardware is just another mule. It will not stop there - IOT will be the mother of all mules.

 

From https://news.ycombinator.com/item?id=9072424 I get that this involves MitM, and that all affected consumer laptops have the same certificate. Quoting TeMPOraL:

This may become very funny (in a sick way, yes) soon

Edit: Maybe sooner: https://twitter.com/supersat

Edit2: Test sites: https://www.canibesuperphished.com/ and https://filippo.io/Badfish/

 

No better reason I can think of to do a bare metal wipe with a fresh, clean install of the OS after buying that new computer...

 

You can also run HitmanPro to look for the Superfish malware and SSL root certificate:

 

Well yes. But the problem is that it's even necessary to do that in the first place. People should not have to shell out an extra $100 or whatever, just for the privilege of having an OS that isn't malware infested the first time it boots. This is anti-consumer garbage.

IMO Microsoft needs to step up on this - they should modify their OEM licensing, to prohibit OEMs from preinstalling software they haven't okayed. Companies selling computers with their operating system should be required to play by their rules.

 

Errata Security: Extracting the SuperFish certificate

 

I agree. In no case should people need to do a clean install of the OS in a new computer. This seems absurd to me.

 

Lenovo PCs ship with man-in-the-middle adware that breaks HTTPS connections

-- Tom

 

Fail, the password protecting the private key is the name of the company behind the SSL hijacker:
http://www.komodia.com/

 

http://www.pcworld.com/article/2886...erfish-adware-presintalled-on-lenovo-pcs.html

Superfish CA test

https://filippo.io/Badfish/

 

I knew that I couldn't trust Lenovo, shame on them!

Would HMPA also be able to stop this MITM attack? I haven't read everything yet, but these tools will often modify browser memory. I believe Zemana is already watching for certificate tampering, but then again, it also has a trust-list.

 

I past the test on a Acer desktop.

 

Blog post on solutions:

How to paint yourself into a corner (Lenovo edition)
http://blog.cryptographyengineering.com/2015/02/how-to-paint-yourself-into-corner.html

 

How to remove the dangerous Superfish adware preinstalled on Lenovo PCs

Proceed with all precautions - contact your Lenovo reseller if unsure.
http://www.pcworld.com/article/2886...erfish-adware-presintalled-on-lenovo-pcs.html

 

If internet was taken seriously someone would have to go to jail in this case.

 

Phew!

 

Those test websites use the certificate and private key extracted from Superfish. They are proof-of-concept for site spoofing

 

http://arstechnica.com/security/201...do-enough-promises-to-wipe-superfish-off-pcs/

 

Well Lenovo just got kicked to the curb as possible new laptop for myself.

 

That's a shame as the quality of them is first rate.

 

http://blog.erratasec.com/2015/02/extracting-superfish-certificate.html

 

"Good, Superfish is probably not intercepting your connections."
Probably? They aren't even sure...

 

And that is why I would never use preinstalled OS, aside of it's usually full of crap spamming your desktop. But this would get harder to deal with when they started to put one of these into the hardware.

 

I do not believe that the pre-installation of this adware should in any way reflect badly on lenovo because the quality of their laptops is top-notch.A bare-metal wipe of the hard drive and a fresh installation of any os of choice would be a wise choice of action.