Superfish: Lenovo preinstalled dangerous Adware and MITM software

[timread]

Surprised not to see a mention of it yet in these forums... Lenovo has admitted preinstalling dangerous adware on many consumer machines sold between September and December 2014, called Superfish. Ostensibly it's just ad insertion crapware. However, the software installs a Root CA Certificate and acts as man-in-the-middle proxy, meaning that it can inject itself into your online banking and other HTTPS website usage. Better still, the root CA certificate only used 1024-bit encryption and the certificate password has already been cracked.

Lenovo don't seem to understand just how major a screw up this is, yet.

There's more information here:
http://www.kb.cert.org/vuls/id/529496
http://www.theregister.co.uk/2015/02...erfish_killer/ (this article also contains a list of the Lenovo models affected)
http://blog.erratasec.com/2015/02/ex...rtificate.html

Check if your Lenovo is one of the ones affected by visiting this website:
https://filippo.io/Badfish/ (this is a genuine link, listed in the CERT article linked above - visit it via that article if you don't trust me)

[russelllongy]

i looked at gettin a lenovo laptop 2 days ago and this issue stopped me from buying it

[matematika]

This is all true, but there are a couple of superfish removal tools readily available even directly from Lenovo. Apart from that I prefer reinstalling windows as soon as I can with new pcs, especially with the windows 10 upgrade thing.

Also if you upgrade to windows 10 but don't keep the old files you can allegedly get rid of it...

[dotdrew]

I was recently looking at Lenovo All-In-Ones for my parents, thanks for reminding me of this, I'll have to do some research into other brands as well now haha.