Security experts call for halt to PC 'crapware' after Lenovo debacle

Security professionals want Lenovo -- and other PC makers -- to stop the practice of loading third-party software on new PCs after one such app was found to be vulnerable to abuse by cyber criminals.

Well, the crapware certainly hit the fan.

That was the take by security professionals Thursday, who called on Lenovo -- and other PC makers -- to stop the practice of loading third-party software on new PCs.

"Bloatware needs to stop," said Ken Westin, security analyst from security firm Tripwire, in an interview. "Companies like Apple, which sell their products on their own merits, they don't sell out their customers with this adware crap."

The practice of pre-installing software on new machines is so widespread, and has been going on so long, that it has well-worn labels, like Westin's "bloatware" or the cruder but more descriptive "crapware." Device OEMs (original equipment manufactures) load such software for financial reasons, cutting prices on the hardware so drastically -- usually in an effort to keep pace with rivals -- that the money earned from software makers is sometimes the difference between profit and loss.

OEMs are paid to load the software onto their PCs -- developers fork over money to get their programs in front of users -- and earn revenue when consumers pony up to extend the trial periods of those pre-loaded applications that come with expiration dates.

But with the latest Lenovo fiasco, crapware-as-a-security-threat has triggered a blowback much greater than the contempt and ridicule formerly assigned it by consumers. And that's going to hurt the China-based PC maker.

"We need to be able to trust our brands," said Westin. "But that's very difficult here. What else have they deployed on their PCs? When they pull this kind of stuff, I know I don't want to buy a Lenovo."

Westin and others were reacting to the stance Lenovo initially took Thursday when it denied that Superfish Visual Discovery, a pre-loaded adware program billed as an image search tool that would "help customers potentially discover interesting products while shopping," was a security threat.

"We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns," Lenovo said in a Thursday statement that was subsequently altered to drop that line.

By the end of the day, Lenovo had backtracked, with its CTO, Peter Hortensius, admitting to IDG News Service -- like Computerworld>, a part of IDG -- that the company had "messed up badly."

Hortensius said that Lenovo wasn't aware of Superfish's vulnerability to abuse by cyber criminals until it was publicly disclosed by security researchers. Google security engineer Chris Palmer, launched a vigorous Twitter discussion on Wednesday after buying a new Lenovo laptop, and Robert Graham, CTO of Errata Security, outlined how he cracked the certificate's password in a Thursday blog post.

Superfish had been installed on a slew of Lenovo consumer-grade personal computers and 2-in-1s from September through December 2014. The OEM did not disclose the number of affected PCs, but listed the models, which included those in the E, G, S, U, Y and Z series, as well as ones in the Flex, MIIX and Yoga lines.

Lenovo stopped installing Superfish on its hardware last month, and at the same time disabled the software on all the devices onto which it had been loaded. The firm also promised not to install Superfish in the future. But that still left the software on PCs.

Later Thursday, Lenovo published manual instructions for removing both Superfish and the self-signed certificate that was at the root of the potential abuse. The firm also said it would soon release a tool that would scrub both the application and the certificate from its PCs automatically, and was looking into ways to auto-deliver that tool, perhaps with the help of partners Microsoft and McAfee.

"Lenovo could approach Microsoft and ask to inject a removal tool inside of Windows Update," said Andrew Storms, vice president of security services at New Context, a San Francisco-based security consultancy. "We've seen [Microsoft] do similar things in the past where they have issued killbits on ActiveX components. I suspect that the Malicious [Software] Removal Tool [MSRT] could do it."

MSRT is a Microsoft-made malware deletion tool that is refreshed each month and included with other security updates the company issues on Patch Tuesdays.

Microsoft declined to answer questions about whether it was willing to aid Lenovo, the world's largest PC seller, by using Windows Update.

For Storms, even the promised cleanup tool wouldn't be sufficient, because Lenovo owners would have to hear about it, and then download it themselves. Under those conditions, a large portion of the affected PC owners will continue to run vulnerable systems. "Lenovo needs to take a stand here and offer to remove the software from every computer," said Storms in an interview conducted over instant messaging.

But it was the practice of loading crapware onto computers that drew unanimous ire from security professionals.

"OEMs frequently undermine the security of their systems through third-party software bundles," said HD Moore, the chief research officer at Rapid7 and the creator of the open-source Metasploit penetration framework. "In the PC area, we have all sorts of privacy exposures and flat-out security issues due to unauthenticated third-party software updaters."

Westin echoed Moore, but also pointed out that with data breaches commonplace and reports of nation-state cyber spying increasing, consumers are increasingly sensitive to digital security and privacy issues, as the fast-spreading news of Lenovo's snafu demonstrated. "We're more privacy and security conscious," Westin said. "So when this sneaks past an OEM, there will be a significant impact on sales and their brand. But it's all about, 'How can we monetize these installs?'"

In its statement Thursday, Lenovo claimed that the decision to pre-load Superfish was not financially motivated. "The relationship with Superfish is not financially significant; our goal was to enhance the experience for users," the company said.

"Yes, 'significant,'" countered Storms.

"The amount of pre-installed software on computers has been out of control for years," Storms added. "Every grandma who gets a new computer would never be able to remove all the so-called helpful apps installed, from browser toolbars to picture editing apps and even time-crippled AV [antivirus] software. When you get a new computer it should spanking brand new and clean."

Some PC sellers have used crapware-free machines as a tool. Microsoft, for instance, has long sold a line it's dubbed "Signature Edition," third-party personal computers that come with "no junkware or trialware."

That should be the default, not the exception, said Westin, who saw a ray of hope from Lenovo's blunder.

"The silver lining here is that people are paying attention to the security and privacy concerns about bloatware," Westin said. "Maybe a few years ago this would have all gone unnoticed."

Join the CSO newsletter!

Error: Please check your email address.

Tags AppleMalware & VulnerabilitiesantispamsecurityTripwireLenovo

More about AppleGoogleIDGLenovoMicrosoftNewsRapid7Tripwire

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts