The price of Windows laptops have come down for many reason. With the recent launch of Windows 8.1 with Bing, manufacturers no longer have to pay a royalty to Microsoft if they meet certain hardware requirements. Combine that with the ever-increasing revenue streams for manufacturers to place a bunch of garbage software and offers on new PCs, and the actual machine becomes inexpensive to users. Well, those exact pieces of software has enraged Lenovo customers and concerned security experts.
Superfish, a piece of software that comes pre-loaded on almost every Lenovo laptop from September 2014 up through January 2015 not including Thinkpads, is essentially adware that displays "relevant shopping advertisements" to consumers, even when they're on secure websites. It basically can be considered a hijacker of sorts, routing traffic through a certificate that allowed Superfish to see your traffic, and then display the ads. On Internet Explorer and Chrome, Superfish would even inject third-party ads into Google search results, without the end-user's permission to do so. As you could imagine, all of this is a potential problem and a huge security risk, especially if a firm leaks a finds and publishes a password that could let you unlock the certificate and bypass any encryption on your computer. And that's exactly what happened on the heels of Lenovo's forums filled with customer complaints. The password, by the way, was contained in the program's active memory and was no challenge to find and retrieve.
Obviously Lenovo was very concerned upon discovery of this news and took immediate action, right? Not exactly. The company first published a statement saying that they thought users would love to have this installed on their machines, and that it was "to help customers potentially discover interesting products while shopping." A noble idea in theory, yet clearly terribly implemented. After the company's initial response, Lenovo then posted a follow-up statement.
Superfish was previously included on some consumer notebook products shipped in a short window between September and December to help customers potentially discover interesting products while shopping. However, user feedback was not positive, and we responded quickly and decisively. Superfish has completely disabled server side interactions (since January) on all Lenovo products so that the product is no longer active. This disables Superfish for all products in market. Lenovo stopped preloading the software in January. We will not preload this software in the future.
Lenovo has also issued a removal tool to fully get rid of the software, as uninstalling won't completely remove it. Those unsure if the removal tool actually works can run a test created by researcher Filippo Valsorda. Lenovo is also working with Microsoft and McAfee, and products by those companies will automatically detect and remove the software in most cases.