Lenovo announced that it has stopped pre-loading on its computer products a third-party advertising software known as Superfish following the discovery of a flaw that provide a way for hackers to snatch users’ encrypted data and online passwords.
An advisory issued by the Chinese computer company said that Superfish was included in some of its notebooks shipped between September 2014 and February 2015. The world’s largest seller of PCs said it thought Superfish would be a help for its customers and had no idea it would be a security threat. Superfish intercepts HTTPS traffic using a self-signed root certificate.
The software was meant “to assist customers with discovering products similar to what they are viewing,” the advisory said. “However, user feedback was not positive and we responded quickly and decisively.”
“Vulnerabilities have been identified with the software, which include installation of a self-signed root certificate in the local trusted CA store. The application can be uninstalled, however, the current uninstaller does not remove the Superfish certificate,” Lenovo said.
Lenovo also provided instruction how to uninstall the Superfish application. (Click on the image above to access Superfish unistall instructions)
The company said it has actually disabled server side Superfish interactions with Lenovo products since January and stopped preloading the software on its products since January.
The following Lenovo products may be affected:
Flex2 14, Flex2 15
Flex2 14D, Flex2 15D
Flex2 14 (BTM), Flex2 15 (BTM)
G40-70, G40-30, G40-45
G50-70, G50-30, G50-45
Miix2 – 8
Miix2 – 10
Miix2 – 11
S415; S415 Touch
S20-30, S20-30 Touch
To find out how to uninstall Superfish, click here.