China-based PC maker Lenovo has come under fire for selling laptops pre-installed with a ‘horrifically dangerous’ software ‘Superfish’ that tracks users every move online and renders the computers vulnerable to hackers.
The suspicious software was detailed in a report from Errata Security CEO Robert Graham, who posted information on Errata’s website discussing the Superfish issue.
“It’s designed to intercept all encrypted connections, things it shouldn’t be able to see,” Graham said.
“It does this in a poor way that it leaves the system open to hackers or NSA-style spies.”
“Their business comes from earning money from those adds, and it pays companies (like Lenovo) to bundle the software against a user’s will,” Graham said of Superfish. “They rely upon the fact that unsophisticated users don’t know how to get rid of it, and will therefore endure the ads.”
Acknowledging the issue, Lenovo on Thursday said it has disabled the offending software and will provide customers with a tool that permanently removes the program from their computers.
“I have a bunch of very embarrassed engineers on my staff right now,” Lenovo CTO Peter Hortensius said in an interview Thursday. “They missed this.”
The company said it shipped “some” laptops with Superfish between September and December last year, before it stopped because of customer complaints. It still remains unclear as how many laptops have been affected by the problem. Laptops preloaded with the Superfish software were from the company’s G Series, U Series, Y Series, Z Series, S Series, Flex Series, MIIX Series, YOGA Series and E Series.
Lenovo said it is currently in contact with browser and antivirus vendors to discuss ways of fixing the issue. The company has also posted detailed instructions on how to remove the software and the Superfish encryption certificate from its computers here
