CEO says Superfish is safe as US issues alert to remove Superfish from Lenovo PCs

Superfish's CEO is splitting hairs while Lenovo PC users remain vulnerable.

Superfish, the creator of the dangerous adware preloaded onto many new Lenovo PCs , has finally issued an extended statement on the matter, and, well, it's basically sticking its head in the sand and denying any wrongdoing whatsoever.

In a statement sent to PCWorld, Superfish CEO Adi Pinhas talks about how Superfish is a visual search tool designed to "enhance the online shopping experience for Lenovo customers," and that it doesn't collect any personal data. But beyond the PR talk, Pinhas' statement reveals Superfish taking a startlingly oblivious position--first for what it says at one point, and also for what it brushes off an inconsequential.

Let's start with what's written down. Here's the passage:

"There has been significant misinformation circulating about Superfish software that was pre-installed on certain Lenovo laptops... Despite the false and misleading statements made by some media commentators and bloggers, the Superfish software does not present a security risk."

Ironically, at around the same time representatives sent us the email, the United States Computer Emergency Readiness Team issued an official alert warning of the considerable dangers of the Snapfish adware preloaded on many Lenovo consumer PCs. US-CERT recommends removing Superfish and its root certificate from affected PCs.

Why? Because of the deeper issue at play here--one that Pinhas's statement brushes off.

The core issue with the Snapfish adware isn't that it may or may not be tracking customer behavior. (Both Lenovo and Snapfish say it isn't.) The problem is that the web is increasingly embracing encrypted HTTPS connections, and in order to inject its ads into secured sites, Superfish uses the equivalent of a man-in-the-middle attack to interfere with encrypted HTTPS connections--undermining the trust between users and websites. How? By installing a self-signed root certificate deep inside Windows, which it then uses to re-sign SSL certificates from legitimate websites.

Worse, Superfish uses the same certificate on every affected Lenovo system, and it does so using a weak, depreciated version of encryption. In fact, security researchers have already extracted the private key for the certificate. Hackers can easily launch their own man-in-the-middle attacks on users of affected Lenovo PCs by leveraging this shocking vulnerability put in place for Superfish.

That's very, very, very bad.

Pinhas says "a vulnerability was introduced unintentionally by a third party," but it's downright shocking for him to say "Superfish software does not present a security risk." While Pinhas is technically true--the true danger lies in the certificate, not the Superfish software itself--to say that Superfish "does not present a security risk" as it was implemented in Lenovo's PCs seems incredibly disingenuous.

Fortunately, others technological giants are already moving to fix the vulnerability.

Lenovo stopped using the Superfish software in January, and its contrite CTO told PCWorld "We messed up" while vowing to provide a tool to remove Superfish from affected PCs. While we haven't seen that yet, Microsoft quickly pushed out a Windows Defender update that eliminates the Superfish adware and the root certificate in Windows, but not the Superfish certificate stored in Firefox's separate certificate manager, if you use that browser. Likewise, some other antivirus solutions identify Superfish as adware or a potentially unwanted program, but won't remove the rogue certificate from Windows or Firefox.

If you want to truly eradicate the Superfish adware and its dangerous certificate from your Lenovo PC--you know, like the United States government recommends--it's best to remove everything manually, just to be sure. PCWorld's guide to removing Superfish from your Lenovo PC can help you do just that.

Oh, and the third-party company that created the certificate that compromised encrypted connections for Superfish? It's called Komodia, and it's stuffed similarly dangerous root certificates into other programs, too. Enjoy your weekend.

Join the CSO newsletter!

Error: Please check your email address.

Tags pcworldsecurityLenovo

More about bravoLenovoMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Brad Chacos

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place