Lenovo caught installing adware on new computers

Before the Lenovo brand.... I.B.M. didn't seem to have this problem.

 

It speaks ill of their competence and/or morals.

 

Lenovo are no longer installing Superfish on their laptops.

Lenovo Security Advisory: LEN-2015-010

 

Too late, the trust has been damaged.

 

I think it's good that they have acknowledged it, and have provided a link to removal instructions and are no longer including it on their computers. I personally wouldn't let this incident stop me from purchasing a Lenovo laptop, and switching to another brand (which more than likely would not have the same quality and reliability of a ThinkPad).

 

I do agree that this has damaged the Lenovo brand.

However, it is notable that (as far as we know) only consumer models were affected by this. And I gather that their consumer models are junk in many other ways. The enterprise vs consumer dichotomy is not at all unique to Lenovo. Consider Dell, for example.

I've always gone for low-end enterprise gear (as high as my budget allowed) instead of high-end consumer gear. You get better tech support too

 

I also heard that the enterprise product line is usually more durable. Only if I could get the enterprise product line, it's even hard to get something with 4GB RAM in my place.

 

I but cheap used ThinkPads from eBay and then install more RAM and a bigger hard drive if needed. For what I use my laptops for I really don't have a need for the latest processors - older processers are more than fast enough, and by buying a ThinkPad I know I'm getting excellent quality.

 

I can't buy and import electronic equipments online from out of the state since it will be considered as smuggling, even if I only buy one item. As for the RAM... well I think it can be worked out if I ask my cousin to buy it and send the parts to my place. Just hope they aren't going to throw the packet into the airplane's baggage. They sometimes wouldn't care even with that fragile warning tag clearly printed on the box.

Anyway, has other manufacturers attempted this practice as well?

 

Good point especially considering Lenovo is the world's largest PC OEM.

 

How to remove the Superfish malware: What Lenovo doesn’t tell you

http://arstechnica.com/security/201...uperfish-malware-what-lenovo-doesnt-tell-you/

 

Superfish: A History Of Malware Complaints And International Surveillance

http://www.forbes.com/sites/thomasbrewster/2015/02/19/superfish-history-of-malware-and-surveillance/

 

Good article.

 

Lenovo would have been 100% aware of the purpose of Superfish. If Lenovo just accepted a marketing/sales pitch without a technical assessment of the product, it is gross negligence on their part. They have stopped the rollout of Superfish/Visual discovery but they have not announced that they have severed their relationship with the company that developed the software, afaik. Will Visual Discovery be rewritten to make a return under a different name and as it was originally intended?

'Revenue tool' has become the 2015 politically correct term for money grab. It sounds a lot more friendly than 'surveillance tool'. These RTs are being marketed as user value-add tools, so the uninformed user thinks they are getting something that benefits them. Pre-installing a surveillance tool is unethical by any measure. Rolling out a dangerous product is beyond the pale. Lenovo owners may never be return buyers, not because they are dissatisfied with the quality of the hardware, but because they have lost the most valuable commodity a company can have with its buyers; Trust.

 

Don't make me laugh, Lenovo has screwed up big time with this incident but 'Revenue tools' are no money grab, they are the only way for PC makers to survive:
http://www.theguardian.com/technolo...-trap-windows-chrome-hp-dell-lenovo-asus-acer

Less than 15 dollars of profit per computer on average. Some companies do even worse:"Acer's financial results suggest that it has made a loss on almost every PC it has sold since the second quarter of 2011. Its best performance in that space was in the second quarter of 2012 - when for every PC it sold, it made an average profit of just $1.13."

 

You can now use Windows Defender to get rid of Superfish and its crappy certificates except for the Firefox one, apparently:

http://www.neowin.net/news/microsof...ies-superfish-like-a-piece-of-carp-that-it-is

 

ESET users are now protected from the Lenovo adware via:
http://virusradar.com/en/Win32_Adware.SuperFish.A/description

Also see:
Windows Defender now protects against same:
http://www.theverge.com/2015/2/20/8077033/superfish-fix-microsoft-windows-defender

 

Thanks - always appreciate good feedback.

 

What is Superfish: https://nakedsecurity.sophos.com/2015/02/20/the-lenovo-superfish-controversy-what-you-need-to-know/
How to remove Superfish: https://nakedsecurity.sophos.com/2015/02/20/how-to-get-rid-of-the-lenovo-superfish-adware/

 

U.S. government urges Lenovo customers to remove Superfish software

http://www.reuters.com/article/2015/02/20/us-lenovo-cybersecurity-dhs-idUSKBN0LO21U20150220

 

I do agree that the margins are low on PC hardware. I have read similar articles to the one you linked to. Visual Discovery is a Revenue Tool because it brings them revenue through advertising. It can become a revenue stream tied to a mac address. As it is a stealth install and marketed as a value-add product, it is a money grab. Bloat generates more profit per unit as many users initialize the pre-installed software trials and eventually buy the products. It is intended to be a lure. Companies that make quality products, like Lenovo does, will often support less profitable product lines with their more profitable products. Lenovo is a very big profitable business. They are leaders in the industry.

 

Some things I don´t understand about this:

1. Why was it discovered only after several years of being in use? Weren´t people receiving "strange" ads during all these years? Nobody was curious about them?
2. Why wasn´t it detected by the normal anti-malware software, or by programs like AdwCleaner?
3. Can this type of threat be implanted only by OEMs? Or can it be implanted by other software or malware?

 

It's worse, the private key is not even needed, as with a small trick, it will accept any self signed certificate:
https://blog.filippo.io/komodia-superfish-ssl-validation-is-broken/

And Superfish is not the only one using this crap:
https://gist.github.com/Wack0/17c56b77a90073be81d3

 

Lenovo officially responds to Superfish, releases list of affected systems
http://www.extremetech.com/computin...o-superfish-releases-list-of-affected-systems

 

Lenovo and Superfish? Don’t panic, you may not be affected
http://www.welivesecurity.com/2015/02/20/lenovo-superfish-dont-panic-may-affected/