Lenovo installs Superfish adware on new computers

lenovo ThinkPad
Credit: TAKA@P.P.R.S

I’m at a loss. It is late at night. I was having trouble sleeping and decided that I would open up Twitter. Much to my surprise I see that Lenovo has been installing adware on the systems that they sell in order to inject advertisements into browsers. Um…are you kidding me?

Remember in 2005 when Sony-BMG had run afoul of their customers for installing rootkits? 

From EFF

You insert your CD into your Windows PC, click "agree" in the pop up window, and the CD automatically installs software that uses rootkit techniques to cloak itself from you. Sony-BMG has released a "patch" that supposedly "uncloaks" the XCP software, but it creates new problems.

Well, it looks like this is a redux of the same sort of thing. Only, worse. In this case the consumer has no say in the matter. This is adware that is installed on consumer systems by the company you're purchasing it from. Customers that do not do a bare metal install with a new operating system are subjected to this crap and there is little redeeming quality to be found. This adware would affect the customer’s web browser.

From Lenovo Forums:

Due to some issues (browser pop up behavior for example), with the Superfish Visual Discovery browser add-on, we have temporarily removed Superfish from our consumer systems until such time as Superfish is able to provide a software build that addresses these issues. As for units already in market, we have requested that Superfish auto-update a fix that addresses these issues.

To be clear, Superfish comes with Lenovo consumer products only and is a technology that helps users find and discover products visually. The technology instantly analyzes images on the web and presents identical and similar product offers that may have lower prices, helping users search for images without knowing exactly what an item is called or how to describe it in a typical text-based search engine.

I’m at a loss as to why they would think that this was a good idea at all. One person on Twitter discovered that the Superfish adware was acting as a man in the middle (MITM) when people would browse websites.

So, you surf to your online banking account and Superfish is acting as the certificate authority?? What could possibly go wrong? He asks tongue firmly planted in cheek. This removes any semblance of trust for online banking, email, Twitter, Facebook and so on. This is bad.

Let’s look back at the statement from the forum for a second. The admin wrote "temporarily removed Superfish from our consumer systems until such time as Superfish is able to provide a software build that addresses these issues” which reads more simply as “get rid of the pop-ups". Incredible.

Factory pre-installed adware. If I had trouble dealing with insomnia earlier this is certainly not going to improve my mood. This strikes me as an incredibly ill-advised attempt to generate revenue. 

Have you purchased a Lenovo computer recently? There is a good chance that your system is infected with this adware. Very curious that the company would think that this is an acceptable business practice. 

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.