Lenovo Publishes Superfish Adware Removal Instructions, But Still Faces Major Lawsuit

Feb 23, 2015 11:47 AM EST

Chinese computer company Lenovo has issued instructions and software to its users on how to remove the Superfish program from their Windows 8.1 laptops, but it may be too late for them to avoid legal action.

According to a CBS News report, researchers revealed Thursday that a vulnerability found in Superfish software, which was pre-loaded on many Lenovo laptops, could allow hackers to mimic shopping and banking websites that could trick users into providing sensitive credit card numbers and other personal data. The company has since apologized for pre-loading the software with select laptops.

"Superfish was installed on more than 11 types of Lenovo laptops sold to the public between September 2014 and January 2015, including the popular Yoga and Flex models, but not ThinkPads," Lenovo said to CBS News.

Lenovo has published Superfish removal instructions on its website. The Beijing-based company also created software that would automatically remove the malware.

However, some users have threatened to sue Lenovo over the malware fiasco. According to Agam Shah of PC World, a proposed class-action suit was filed against both Superfish and Lenovo, accusing both companies of "fraudulent" business practices and making users' computers vulnerable to malicious attacks with the pre-loaded software.

"Plaintiff Jessica Bennett said her laptop was damaged as a result of Superfish, which was called 'spyware' in court documents," Shah wrote. "She also accused Lenovo and Superfish of invading her privacy and making money by studying her Internet browsing habits."

Shah added that the lawsuit was filed in the U.S. District Court for the Southern District of California. A spokesperson from Lenovo declined to comment on the lawsuit.

Gregg Keizer of Computerworld reported that Lenovo would work alongside antivirus vendor McAfee and Microsoft to remove all traces of the Superfish software. The company explained how this process would work.

"We are working with McAfee and Microsoft to have the Superfish software and certificate quarantined or removed using their industry-leading tools and technologies," Lenovo said in a statement issued on Friday. "These actions have already started and will automatically fix the vulnerability even for users who are not currently aware of the problem."

Lenovo contended in its statement that it "did not now about this potential security vulnerability until yesterday." Keizer explained how the Superfish software was supposed to work.

"To serve ads on encrypted websites, Superfish installed a self-signed root certificate into the Windows certificate store, as well as into Mozilla's certificate store for the Firefox browser and Thunderbird email client," Keizer wrote. "That Superfish certificate then re-signed all certificates presented by domains using HTTPS."

Keizer described this process as a "man-in-the-middle" (MITM) attack that would allow hackers "to spy on supposedly secure traffic between a browser and a server."

"All hackers needed to do was crack the password for the Superfish certificate to launch their own MITM attacks by, for example, duping Lenovo PC users into connecting to a malicious Wi-Fi hotspot in a public place, like a coffee shop or airport," Keizer wrote. "Cracking the password proved laughably easy, and within hours it was circulating on the Internet."

Ken Westin, a security analyst at security firm Tripwire, told Keizer that Lenovo and other players in the PC industry to shop pre-loading third-party software on their products. He argued that such "bloatware" carried both security and privacy threats.

"When they pull this kind of stuff, I know I don't want to buy a Lenovo," Westin said.

Lenovo has published a full list of the affected laptops on its website.