Lenovo shipping laptops with pre-installed adware that kills HTTPS

February 19, 2015 – 5:27 AM

Lenovo is in hot water after it was revealed on Wednesday that the company is shipping consumer laptops with Superfish (Adware) pre-installed. Security experts are alarmed, as the software performs Man-in-the-Middle attacks that compromises all SSL connections.

It’s a fact of life; PC manufacturers are paid to install software at the factory, and in many cases this is where their profit margin comes from. However, pre-installed software is mostly an annoyance for consumers. Yet, when this pre-installed software places their security at risk, it becomes a serious problem.

Lenovo, in comments posted to a company support forum, said they have partnered with a company called Superfish Inc. to deliver software “that helps users find and discover products visually.”

This is done by injecting ads on the sites displayed by Internet Explorer and Chrome; Firefox doesn’t seem to be impacted in this instance, but complaints that date back to last summer surrounding Superfish do include Mozilla’s browser.

Researchers have discovered that not only does Superfish inject ads; it also breaks SSL by installing a self-signed root certificate that can intercept encrypted traffic for any secured website a user visits.


You must be logged in to post a comment.