One positive from Superfish: Less bloatware on Lenovo’s new PCs

Lenovo’s credibility took a big hit this month, courtesy of the Superfish scandal: Pre-installed adware on Lenovo computers resulted in a risk to user privacy and security. The company has since apologized but is now going an extra step, bringing some solace from the incident. Lenovo says it will vastly reduce the amount of bloatware on its computers, going forward.

Lenovo ThinkPad X250

The no.1 PC maker in worldwide sales issued a statement on Friday with the news, and says it plans to be the leader of safer and cleaner computers:

We are starting immediately, and by the time we launch our Windows 10 products, our standard image will only include the operating system and related software, software required to make hardware work well (for example, when we include unique hardware in our devices, like a 3D camera), security software and Lenovo applications.  This should eliminate what our industry calls “adware” and “bloatware.”  For some countries, certain applications customarily expected by users will also be included.

While I certainly don’t view the Superfish issue as a positive one, this may be the best, unexpected outcome as the result.

For far too long, PC makers have worked deals with third-party software vendors to pre-install crapware in order to generate extra revenues. In many cases, these apps are of limited or no benefit to customers who buy the hardware only to either uninstall the unwanted apps or let them stay installed, which can waste system resources. Lenovo will also publicly post information about any non-standard software that it does include with its computers in order to raise consumer awareness and transparency.

Although both steps are long overdue in the industry, they’re welcome ones.

And if they aren’t enough for you, a similar but different option to buy a “Signature Edition” computer directly from Microsoft’s store. The company offers many of the same laptops and desktops you can purchase from a hardware maker or retailer but without any additional crapware or bloatware.

Beyond Superfish: Turns out SSL-trashing spyware is widespread

Last week Lenovo found itself in deep trouble over the Superfish spyware that it installed on many recent consumer laptops. Designed to insert ads into customers’ browsing experiences, the software has very insecure foundations and basically made users vulnerable to hacking attacks.

Turns out it’s not just Lenovo customers who should be worried about their exposure — the insecurity of Superfish is largely due to its use of technology from an Israeli company called Komodia, and quite a few software packages in the areas of antivirus and parental protection also use Komodia’s engine. Examples highlighted by the U.S. Department of Homeland Security include products from parental control outfits Qustodio, Kurupira, Infoweise and Komodia’s own KeepMyFamilySecure, and security firms such as Lavasoft and Websecure.

Qustodio wrote in a Saturday blog post that it was working on a “fix in order to avoid potential phishing attacks from external malicious users.”

These various packages, including the Superfish software that Lenovo quietly installed on its consumer laptops late last year, used Komodia to put a fake root certificate authority (CA) on each user’s PC, together with a private key, in order to be able to intercept and analyze even encrypted “SSL” browsing sessions. However, this mechanism was really badly implemented.

As Facebook’s Matt Richard noted, the reuse of the same root CA across multiple machines (with the same “komodia” private key password) means bad actors could “potentially obtain that CA file and perform ‘man-in-the-middle’ (MITM) attacks on untrusted networks like public Wi-Fi, set up authentic-looking phishing pages, or sign software that makes people vulnerable to other malicious code as they browse the internet.”

Cloudflare researcher Filippo Valsorda wrote about the potential manipulation of Komodia’s mechanism even without the need for extracting the private key: “An attacker can intercept any https connection, present a self-signed certificate to the client and browsers will show a green lock because Komodia will sign it for them.”

In short, this software greatly increases insecurity, which is why the DHS is urging people to uninstall all software that uses the Komodia Redirector and SSL Digestor libraries, and all associated root CA certificates, and why Mozilla is considering blacklisting those certificates in Firefox.

That’s kind of ironic, seeing as so many of these software applications are intended to protect their users. The same goes for Comodo, an actual certificate authority that also puts out a security-focused browser called Comodo Dragon. As researcher Hanno Böck wrote on Monday, this and other Comodo products ship with a “privacy” tool called PrivDog that supposedly replaces ads in webpages with ads from “trusted sources” – and as with Komodia’s tools, this one also verifies dodgy certificates when it shouldn’t.

CloudFlare’s Valsorda has come up with a tool called Badfish that was originally designed to detect infections by Superfish, but now also scans for those by other Komodia-using products and PrivDog as well. If you’re a Windows user and you’re using parental control software or certain antivirus products, it might be worth giving that page a visit to see if you need to be uninstalling anything.

Lenovo in hot water over Superfish adware, but dismisses security worries (updated)

Reports from security consultants, media, and Lenovo users indicate that there’s bloatware pre-installed on recent Lenovo Windows PCs that’s a bit more sinister than a set of superfluous ThinkPad tools. It appears that adware called Superfish had been running on consumer laptops sold by Lenovo between September 2014 and this past January, raising significant security concerns.

In a statement issued on Thursday, Lenovo said although it had disabled Superfish “server side interactions” since January, it could “not find any evidence to substantiate security concerns.” It also promised not to pre-load Superfish in the future, while clarifying that Superfish requires users to approve its terms of use, and that it hasn’t been installed on devices since “December.”

Update: Sometime today, Lenovo changed its statement and quietly removed the line “We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns.” The statement was most likely tweaked because there is actually a lot of evidence to back up that Superfish is a security problem. Lenovo also posted a PDF with instructions how to remove Superfish.

The Electronic Frontier Foundation called Superfish “horrifically dangerous” and a “security catastrophe.”

The worst part is, Superfish isn’t even tangentially useful to the consumer. It’s ad-placing software — so far, what it appears to do is to place it own ads against Google search results, which presumably generates income for both Lenovo, and Superfish, which is a privately-held Palo Alto-based company. Lenovo’s statement said that Superfish was included to “to help customers potentially discover interesting products while shopping.”

While ads might be annoying, the real problem with Superfish is the liberties it takes with users machines’ to serve those ads, which resembles a “man-in-the-middle” attack. The adware makes itself an unrestricted root certificate authority in Windows, so it is able to spoof SSL certificates. If you connect to a secure website, such as your bank, from Internet Explorer or Google Chrome on an affected Lenovo laptop, the security certificate will have been signed by Superfish, as opposed to a trusted SSL certificate services provider like VeriSign.

Essentially, this discovery means that HTTPS browsing on an affected Lenovo laptop is insecure. In fact, researchers have already cracked Superfish’s private key — which was the same on all affected laptops — meaning hackers could snoop on encrypted traffic while on the same network, or even install malware under the guise of a trusted program. Simply uninstalling the program doesn’t remove the unrestricted root certificate.

Lenovo is the top PC vendor in the world, according to IDC, and shipped over 16 million PCs in the fourth quarter of last year, part of the time period where Superfish was preinstalled on some devices. Here’s a online test to check whether your device is affected.