If you own a Lenovo PC, read this asap!

Lenovo has been shipping its PCs with built-in malware that is a new level of insidiousness and nasty. Before I explain what it does, if you have a Lenovo machine, or know someone who does, go now to this site and see what it says.

What is going on? It turns out that Lenovo, either by design or by sheer stupidity, has included a piece of software called a root certificate, from this company Superfish. Now, if you aren’t a computer expert, this is probably meaningless to you. So let me break it down. With this Superfish certificate, every site that you go to in your browser using the HTTPS protocol is subject to being exploited by some bad guys. Chances are, it may not happen to you.

In any case, you want to remove this thing pronto. Here are the instructions from Lenovo.

Back in those innocent days of the early Web, we use to say add the S for security when you were browsing. This forces an encrypted connection between you and the website that you are visiting, so your traffic over the Internet can’t be captured and exploited.

But having a bad certificate turns this completely around: with it, you can decrypt this traffic, indeed, you can manipulate the web browsing session in such a way that you might not even realize that you are going to ThievesRUs.com instead of your trusted BankofWhatever.com. While no one has yet reported that this has happened, it is only a matter of time. There is a great article explaining this exploit on ArsTechnica here.

Certificates are the basic underpinnings of secure infrastructure, they are used in numerous other situations where you want to make sure that someone is who they say they are. By using a bad certificate, such as the one from Superfish, you throw all that infrastructure into disarray.

certs2To get an idea of how many certs you use in your daily life, open up your browser’s preferences page and click on over to the Certs section, there you will dozens if not hundreds of suppliers. (see screenshot at left)  Do you really trust all of them? You probably never heard of most of them. On my list, there are certs from the governments of Japan and China, among hundreds of others. You really have no way of knowing which of these are fishy, or even superfishy.

This isn’t the first time that bad certs have popped on on the Intertubes. There have been other situations where malware authors have signed their code with legit certs, which kinda defeats the whole purpose of them. And back in 2012, Microsoft certificates were used to sign the Flame malware; the software vendor had to issue emergency instructions on how to revoke the certs. And in 2011, the Comodo Group had issued bogus certs so that common destinations could have been compromised.

It is getting harder to keep track of stuff and stay ahead of the bad guys, even when they don’t have the auspices of a major PC manufacturer behind them.

9 thoughts on “If you own a Lenovo PC, read this asap!

  1. As recent purchaser of a new Lenovo, very useful to hear of this. But is there anything I can do about it, besides keeping up to date on virus and malware signatures? And does Lenovo have any comment or plan any fix?

    Thanks —

    Bob

    • I put a link in the above posting where you can remove it, but if you look at the comments on Lenovo’s forums in the link, you will see it isn’t completely a fix.

      You may have to re-image your PC with a fresh image of Windows (not from Lenovo). I don’t envy the amount of pain that is going to follow!

  2. David, I’ve sold a lot of Lenovo laptops and a few of their desktops, too. When I get one (new or used), I routinely reinstall Windows 7 (most common scenario) from scratch. More work for me, gets with of other misc and pretty useless stuff left by the factory install. I guess I been lucky.

  3. Ben, you give your customers great service, and this is just one indication why.

    Superfish is present on Lenovo laptops sold between September 2014 and January 2015 according to the latest info.

    • Great timing on your article. I ordered a Yoga 2 online and it arrived today. According to the emails I’ve been receiving since I ordered, this Yoga 2 was “recently manufactured just for me” and was shipped from China earlier this week. It had the SuperFish software and Cert on it. I’ve removed both. I bought my laptop in Feb, not January. It seems to raise a question about their statement “Lenovo laptops sold between September 2014 and January 2015”. I ordered from Lenovo on Feb 9. Is that the same as January 40th 😉

  4. THANK YOU for this post. I was just about to buy a Yoga 3 — sad that I have to wait, but relieved that I learned about this issue. Of course, it raises the question of which, if any, other PC vendors have the same issue.

  5. Pingback: Malware on Lenovo PC #vmvwiki | virtualMV (Michael Verhaart)'s Blog

  6. You might want to mention that this is primarily a problem for consumers. Most companies will have developed their own image, using their own OS, which would have wiped out this vulnerability.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.