Lenovo to flush 'crapware' from its consumer PCs after Superfish sin

Lenovo will immediately begin reducing the amount of "crapware" on its consumer PCs, a move triggered by last week's admission that adware pre-loaded onto the company's machines posed a critical security threat.

Lenovo today said that it would immediately begin reducing the amount of "crapware" on its consumer PCs, a move triggered by last week's admission that adware pre-loaded onto the Chinese company's machines posed a critical security threat.

"We will significantly reduce preloaded applications," Lenovo said in a Friday statement. "Our goal is clear: To become the leader in providing cleaner, safer PCs."

Over the past nine days, Lenovo has been vilified by customers for bundling the Superfish Visual Discovery adware with its consumer-grade personal computers. "You've basically flushed your credibility down the drain," wrote one customer on the company's support forum earlier this week. "Good luck getting people to actually think about buying your products now."

This week, brand quality measurement vendor YouGov BrandIndex said that Lenovo's brand "buzz" score had dropped by half since the Superfish news broke.

With the no-crapware pledge, Lenovo moved into damage control mode. "The events of last week reinforce the principle that customer experience, security and privacy must be our top priorities," the company said today.

Although Lenovo said it would immediately start to scale back the number of pre-installed third-party programs -- usually tagged with the descriptive labels "bloatware," "crapware" or "junkware" -- it pledged to complete the process by the time Microsoft released Windows 10 later this year.

"By the time we launch our Windows 10 products, our standard image will only include the operating system and related software, software required to make hardware work well (for example, when we include unique hardware in our devices, like a 3D camera), security software and Lenovo applications," the firm said.

Lenovo will also provide explanations -- it did not say where, whether on its website or on the new PCs themselves -- of each still-bundled application's purpose. Those whose PCs had been preloaded with Superfish will be offered a free six-month subscription to McAfee's security software.

McAfee, a partner of Lenovo, also has a deal to pre-load a 30-day trial of its software on the latter's PCs.

Superfish, which Lenovo added to new consumer PCs from September through December 2014, was blasted by security experts who discovered that the software left a gaping hole in the company's computers. Hackers were handed ways to intercept and steal critical information, including passwords, that was not properly safeguarded by encryption.

Earlier this week, other security researchers said that they had uncovered evidence that the underlying vulnerability -- which was not limited to Superfish -- has been used by cyber criminals in actual attacks.

Those security experts called on Lenovo and other OEMs (original equipment manufacturers) to stop loading third-party software on their machines. Such software is added to PCs at the factory for financial reasons: Computer makers receive payments from software vendors who want to get their programs in front of users, and the OEMs take a cut of fees users pay to extend the trial periods of pre-installed programs that come with expiration dates.

The revenue can be the difference between profit and loss on a PC, especially the lowest-priced models, as OEMs have raced to the bottom bands to keep pace with cut-throat competitors. The practice goes back decades.

While the Superfish fiasco sparked renewed dump-crapware debate, Stephen Baker, an analyst with the NPD Group who specializes in tracking retail computer sales in the U.S., said calls to completely scrub PCs was idealistic at best.

"Compared with, say, five years ago, there is way, way less [bloatware] than there used to be," said Baker. "But at the end of the discussion, people who complain about this have their eyes on the sky. No one is giving the PC guys money, and so they have to make some very tough choices."

That reduction in crapware was driven, like everything, by economics. "It's been getting harder to pick up a couple of dollars here and there," Baker said. As software prices have plummeted and many add-on programs' functionality has been absorbed by either the OS or free offerings, like browsers, the selection of bundled software consumers were willing to pay for after their PC purchase shrank.

One of the few remaining junkware additions that still put money in OEM pockets was security software. "That's something that people need," Baker observed. "It's not bloatware, that's something that has some value."

No surprise, then, that Lenovo specifically said that security software offers wouldn't be stripped from its PCs.

Realistically, price-pressured OEMs have to have a way to monetize the customer after the sale, Baker argued. And if not crapware, then some other mechanism.

"They may turn to more connections to their own sites or others', to create opportunities to sell stuff to people, as opposed to getting the money up front [from pre-install deals]. The goal would be to depend more on [after-sale] consumer actions," Baker said.

Some have pointed out that Apple is able to sell its devices, Macs included, without adding third-party software; so other OEMs should be able to, as well.

However, that argument's fallacy lies in the fact that Apple creates its own software, and spends considerably to do so. Windows PC OEMs, even if they had the resources, don't have the expertise to replicate Apple's approach. Nor would they, not with multiple rivals ready to drive down prices in a sometimes-futile search for volume rather than profits.

Baker's point was that Lenovo will be pressed to generate revenue in other ways -- ways not tied with the price of the hardware -- by dropping pre-loads. "They have to find those shekels somewhere," he said.

"This is all rooted in a historically tough market," Baker said. "Pretty much everyone has these things, including Microsoft with its 30-day trials of Office 365. But OEMs have to deal with the changing environment."

Join the CSO newsletter!

Error: Please check your email address.

Tags Malware & VulnerabilitiesantispamsecurityYouGovLenovo

More about AppleLenovoMacsMicrosoftNPD Group

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place