How serious is the security threat posed by adware installed on Lenovo laptops?

Bad enough that the Department of Homeland Security early Tuesday called the adware “spyware” and issued another threat warning to consumers who have recently bought Lenovo machines to uninstall it. 

The warning came through the U.S. Computer Emergency Response Team, or CERT, which issued the alert on Friday and updated it again Tuesday. The revised warning was issued hours after Lenovo’s chief technology officer formally apologized for the adware installation and conceded that Lenovo did not realize there was a security threat until it was detected and reported by other sources. 

The adware, which was installed on a wide variety of Lenovo laptop models between September of last year and late January, is from a California-based startup called Superfish. The adware exposes users to “HTTPS Spoofing” and “a classic man-in-the-middle attack,” CERT reiterated in the updated warning.

“All browser-based encrypted traffic to the Internet is intercepted, decrypted, and re-encrypted to the user’s browser by the application – a classic man-in-the-middle attack.,” CERT warned. “Because the certificates used by Superfish are signed by the CA installed by the software, the browser will not display any warnings that the traffic is being tampered with,” CERT said.


  • Asking forgiveness: Lenovo’s chief technology officer apologizes for controversy

Security firm Veracode offers this explanation about spoofing: “A spoofing attack is when a malicious party impersonates another device or user on a network in order to launch attacks against network hosts, steal data, spread malware or bypass access controls.”

So-called “man-in-the-middle” attacks can be enabled by spoofing. HTTPS, which appears in web site addresses, encrypts and decrypts user page requests.

“A machine with Superfish VisualDiscovery installed will be vulnerable to SSL spoofing attacks without a warning from the browser,” CERT said.

CERT warns that the Superfish-related problem goes to the heart of machine systems – the “certification authority,” or CA.

Therefore, just removing the software is not enough.

“It is also necessary to remove affected root CA certificates. Simply uninstalling the software does not remove the certificate,” CERT said.

The warning:

“Superfish adware installed on some Lenovo PCs install a non-unique trusted root certification authority (CA) certificate, allowing an attacker to spoof HTTPS traffic.”

The CERT description:

“Starting in September 2014, Lenovo pre-installed Superfish VisualDiscovery spyware on some of their PCs. This software intercepts users’ web traffic to provide targeted advertisements.  In order to intercept encrypted connections (those using HTTPS), the software installs a trusted root CA certificate for Superfish. All browser-based encrypted traffic to the Internet is intercepted, decrypted, and re-encrypted to the user’s browser by the application – a classic man-in-the-middle attack.  Because the certificates used by Superfish are signed by the CA installed by the software, the browser will not display any warnings that the traffic is being tampered with.  Since the private key can easily be recovered from the Superfish software, an attacker can generate a certificate for any website that will be trusted by a system with the Superfish software installed.  This means websites, such as banking and email, can be spoofed without a warning from the browser.

“Although Lenovo has stated … they have discontinued the practice of pre-installing Superfish VisualDiscovery, the systems that came with the software already installed will continue to be vulnerable until corrective actions have been taken.”

What to do

The warning then spells out remedial steps consumers should take.

Read the full alert at: https://www.us-cert.gov/ncas/alerts/TA15-051A