Hi Folks,
can your users work with there own device (Laptop/PC/Tablet) in your company environment or have access to your company environment from home?
Than you should look out for new Lenovo End-Consumer devices! Why?
Lenovo seams to have some fun to add a software called “Superfish” to there harddisk images, so why this is now a security concern?
First of all Superfish can be called a Adware, the software will add a component to Webbrowsers like the Firefox, Internet Explorer and Google Chrome. This by default is already a pain in the a*s but to make it even worser. Superfish will add an own thrusted root CA certificate to the certificate store and this means it’s possible to perform a man in the middle attack for all certificate based SSL communication; like Facebook, Online Banking, Remote Desktop Gateway access or your companies Netscaler incl. the related ICA traffic. This will affect the Google Chrome Browser and the Internet Explorer, Firefox comes with an own certificate store and doesn’t use the Windows Certificate Store. There is also a nice article describing how Superfish deals with certificates here (expand the pictures in the top post).
So i strongly recommend, if a user came up with a “new” Lenovo device that you should force him to allow a device review.. Uninstall Superfish (some Virus Scanners like Avira incl. the certificate or Malware Tools can do the job, just use google) and remove all thrusted CA Certificates which belongs to Superfish Inc or even better: Read out the Windows activation Key incl. Office and wipe the damm system (My prefered way… 🙂 ). Removing CA Certifcates can be tricky read also here, but this is the most important part.
Somewhere in January Lenovo has stopped to deploy Superfish but regarding what i read until now it’s only on-hold and not finally stopped, so this shi**y software can be delivered again. So customers should now “force” Lenovo to stop this in the future, don’t forget that there are also other vendors available.. Be also aware: Lenovo has stopped this in January and affected devices can still be sold in retail stores.
There is already a statement available from Lenovo (Source(Parts in German) ):
“Lenovo removed Superfish from the preloads of new consumer systems in January 2015. At the same time Superfish disabled existing Lenovo machines in market from activating Superfish. Superfish was preloaded onto a select number of consumer models only. Lenovo is thoroughly investigating all and any new concerns raised regarding Superfish.”
Background information on Superfish
Superfish was preloaded onto select models of Lenovo consumer products only and is a technology that helps users find and discover products visually. The technology instantly analyzes images on the web and presents identical and similar product offers that may have lower prices, helping users search for images without knowing exactly what an item is called or how to describe it in a typical text-based search engine.
The Superfish Visual Discovery engine analyzes an image 100% algorithmically, providing similar and near identical images in real time without the need for text tags or human intervention. When a user is interested in a product, Superfish will search instantly among more than 70,000 stores to find similar items and compare prices so the user can make the best decision on product and price.
Superfish technology is purely based on contextual/image and not behavioral. It does not profile nor monitor user behavior. It does not record user information. It does not know who the user is. Users are not tracked nor re-targeted. Every session is independent. When using Superfish for the first time, the user is presented the Terms of User and Privacy Policy, and has option not to accept these terms, i.e., Superfish is then disabled.
The statement is one of the funniest i ever read… Superfish is a miracle software, it can help a user to find and discover products without monitoring the user = Pure Magic? ..or who should believe this? How do you call a real time image recognition and a software that can intercept and sneak into certificate trusts? A glorious present for all Hackers and intelligence agencies! Did anyone from Lenovo read the Superfish “Privacy Policy”?
Superfish will collect and store certain information that is automatically collected by WindowShopper or provided by its users, such as download date, status changes, usage logs, email address. Such information will be kept private by Superfish and is not for public distribution.
Superfish will also store bugs hunting information provided regarding the service. This information is for Superfish’s internal use only and will not be distributed under any circumstances.
Ok… So what do you call “It does not profile nor monitor user behavior”?
Lenovo is a strong canditate for our “That sucks!” Award now. Bloatware or other useless pre-installed crap like a lot of vendors do provide is one thing but a pre-installed Adware containing strong security issues/concerns is a new dimension how hardware vendors tread customers. Today and in the mixed environments it’s also not important if the device comes as “End consumer” or “Enterprise” device.
Update: I just got a new statement provided thru the Lenovo Website here. Most important is the part: We will not preload this software in the future. Lesson learned.. But please remember, there could be still affected devices available in stores and the time period Lenovo “provided” Superfish is estimated with ~3 months.
Cheers
Michael
View Michael Hoting's profile