US Government Warns Users To Remove Lenovo’s Superfish

The US Government has advised the public to remove Superfish, an advertising program pre-installed on some Lenovo laptops, saying it introduces a security vulnerability.

Meanwhile, Facebook security researchers said they have discovered more than two dozen “suspicious” programs that use the same insecure library found in Superfish. Microsoft on Friday released an update for Windows Defender that removes Superfish.

The US Department of Homeland Security on Friday issued an alert saying that the software makes computers vulnerable to SSL spoofing, a type of man-in-the-middle (MITM) attack, which allows an attacker to imitate a trusted Internet source such as a website.

“Systems that came with the software already installed will continue to be vulnerable until corrective actions have been taken,” the department stated.

Lenovo began to bundle Superfish ad software with some of its laptops in September of last year, using it to alter users’ search results, and said it removed the software from its products in January due to user complaints over the intrusiveness of the tool.

However, last week it was disclosed that the software involved includes a library from Israel-based Komodia to modify the Windows networking stack in order to intercept users’ Internet communications, including those protected by Secure Sockets Layer (SSL) encryption.

Attack technique

The Komodia library uses an interception technique that is inherently insecure, according to security researchers – the installation of a new root Certificate Authority (CA) that is the same across all systems – in part because that CA could potentially be obtained and used by an attacker.

“By reusing the same certificate, a bad actor could potentially obtain that CA file and perform ‘man-in-the-middle’ attacks on untrusted networks like public Wi-Fi, set up authentic-looking phishing pages, or sign software that makes people vulnerable to other malicious code as they browse the Internet,” wrote Matt Richard, a Threats Researcher on the Facebook Security Team, in an advisory. “In this case, the certificate used by the Superfish software is relatively easy to extract.”

Richard said Facebook has found more than two dozen applications using the Komodia library in question, many of which appear to be “suspicious” adware. The company also found programs categorised as malware, including a program identified by Symantec as Trojan.Nurjax, that use the same Komodia library.

Data ‘hijacking’

Superfish was founded in Israel in 2006 by co-founders Adi Pinhas, whose background is in computer surveillance, and Michael Chertkof, a data-mining specialist, and is now based in Palo Alto, California. The company said the vulnerability was introduced “inadvertently” by Komodia.

Komodia’s website describes its technology as a “hijacker” that allows “easy access to the data and the ability to modify, redirect, block, and record the data without triggering the target browser’s certification warning”.

Lenovo apologised for the “concerns” caused by its use of the software and said it is releasing a tool to automatically remove Superfish.

“We did not know about this potential security vulnerability,” Lenovo said in a statement. “We recognize that this was our miss, and we will do better in the future. Now we are focused on fixing it.”

Lenovo concerns

Lenovo said the software was installed only on “select” computers, but didn’t estimate the number of systems affected. The systems include laptops in the Yoga, Flex and MiiX lines and the E, G, U, Y and Z series.

In 2013 it was revealed that Lenovo computers were allegedly banned from use by the British government. The ban was brought into place in the mid-2000s following lab testing which found back doors and security flaws in Lenovo hardware.

Lenovo PCs and laptops have also been banned from use in the defense sectors of Australia, Canada, the United States, and New Zealand.

Take our Lenovo quiz here!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

SoftBank Promises To Invest $100bn In US

Japanese tech investment firm SoftBank promises to invest $100bn during Trump's second term to create…

13 hours ago

Synopsys, SiMa.ai To Collaborate On AI Car Chips

Synopsys to work with start-up SiMa.ai on joint offering to help accelerate development of AI…

14 hours ago

AI Start-Up Basis Raises $34m For Accountancy Agent

Start-up Basis raises $34m in Series A funding round for AI-powered accountancy agent to make…

14 hours ago

Databricks Raises $10bn In Huge AI Funding Round

Data analytics and AI start-up Databricks completes huge $10bn round from major venture capitalists as…

15 hours ago

Congo Files Complaints Against Apple Over Conflict Minerals

Congo files legal complaints against Apple in France, Belgium alleging company 'complicit' in laundering conflict…

15 hours ago