Lenovo releases tool to purge Superfish 'junkware'

Lenovo has released a promised tool to delete the Superfish Visual Discovery adware from its consumer PCs.

Lenovo has released a promised tool to delete the Superfish Visual Discovery adware from its consumer PCs.

The tool automates the manual process that Lenovo described earlier in the week after the Superfish "crapware" exploded in its face. The same tool also deletes the self-signed certificate that experts said was a huge security threat to anyone with a Superfish-equipped Lenovo system.

Lenovo confirmed that it is working with two of its partners, antivirus vendor McAfee and Windows-maker Microsoft, to automatically scrub or isolate Superfish and remove the certificate, for those customers who do not hear about its cleaning tool.

"We are working with McAfee and Microsoft to have the Superfish software and certificate quarantined or removed using their industry-leading tools and technologies," Lenovo said in a statement. "These actions have already started and will automatically fix the vulnerability even for users who are not currently aware of the problem."

The reference to already-begun efforts pertain to Microsoft's decision Friday to issue an anti-malware signature for its free Windows Defender and Security Essentials programs, then push the signature to Windows PCs running that software.

Ironically, McAfee's Internet Security is another pre-loaded program Lenovo adds to its consumer PCs and 2-in-1s. Those programs, called "bloatware," "junkware" and "crapware," are factory-installed by Lenovo to generate revenue. Lenovo places a 30-day trial of McAfee Internet Security on its consumer PCs, for example, then gets a cut of the money customers spend to upgrade the trial to a paid subscription.

Security experts have called on Lenovo, and the PC industry in general, to halt the practice of pre-loading third-party software on their machines. "Bloatware needs to stop," said Ken Westin, security analyst at security firm Tripwire. Westin and others argued that crapware poses security and privacy threats, something Superfish illustrated all too well.

The issue with Superfish was how it injected ads into secure websites, like Google.

To serve ads on encrypted websites, Superfish installed a self-signed root certificate into the Windows certificate store, as well as into Mozilla's certificate store for the Firefox browser and Thunderbird email client. That Superfish certificate then re-signed all certificates presented by domains using HTTPS. That meant a browser trusted all the fake certificates generated by Superfish, which was effectively conducting a classic "man-in-the-middle" (MITM) attack able to spy on supposedly secure traffic between a browser and a server.

At that point, all hackers needed to do was crack the password for the Superfish certificate to launch their own MITM attacks by, for example, duping Lenovo PC users into connecting to a malicious Wi-Fi hotspot in a public place, like a coffee shop or airport.

Cracking the password proved laughably easy, and within hours it was circulating on the Internet.

Westin called Lenovo's adding Superfish to its PCs "a betrayal of trust" and predicted that the Chinese OEM (original equipment manufacturer) would suffer a hit to both its reputation and sales. "When they pull this kind of stuff, I know I don't want to buy a Lenovo," Westin said.

Since the vulnerability posed by Superfish went public, Lenovo has scrambled to repair the damage caused not only by the crapware, but its initially tone-deaf denial that the software was a security problem.

In the statement, Lenovo continued to claim that it had been in the dark. "We did not know about this potential security vulnerability until yesterday," the company said.

That doesn't let Lenovo off the hook, said Andrew Storms, vice president of security services at New Context, a San Francisco-based security consultancy. "What's in question here is what, if any, due diligence is performed by the manufacturers before agreeing to pre-install applications," Storms said. "What's the vetting process aside from 'How much is the third party willing to pay us?'"

Lenovo did not detail how McAfee or Microsoft might help disseminate the Superfish clean-up tool or assist in removing the application and certificate. But its use of the word "quarantine" hints that McAfee would issue its own anti-malware signature to at least isolate the program. Antivirus programs use that same quarantine practice with suspected malware.

Microsoft, in turn, could issue an update that revoked the Superfish certificate, essentially removing it from the Windows certificate store. The Redmond, Wash. company has done that in the past when certificates have been obtained illegally.

Google's Chrome, Microsoft's Internet Explorer (IE) and Opera Software's Opera use the Windows certificate store to encrypt traffic to and from Windows PCs. Even so, Google and Opera would likely issue their own revocation updates.

Mozilla is already working on revoking the Superfish certificate from the Firefox and Thunderbird certificate stores, but has not finalized plans, according to Bugzilla, the open-source developer's bug- and fix-tracker.

Lenovo's Superfish cleaning tool and updated manual removal instructions -- which now include Firefox -- can be found on its website.

Join the CSO newsletter!

Error: Please check your email address.

Tags iscoMalware & VulnerabilitiesantispammcafeeMicrosoftsecurityLenovo

More about GoogleLenovoMicrosoftMozillaOpera SoftwareTripwire

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts