Lenovo’s chief technology officer has issued a formal apology to customers about the Superfish adware – many call it malware and a security risk – in an attempt to quell a storm of global criticism. The top technology executive at the world’s No. 1 PC maker conceded that Lenovo was not aware of the security flaw until informed by others.

The apology was issued hours before the federal government reiterated a warning that the software posed a security threat and needed to be removed. The U.S. Computer Emergency Response Team, or CERT, issued an alert on Friday and updated it again Tuesday.

The adware, which CERT labeled as “spyware,” was installed on laptops manufactured for consumers between September of last year and January.

“For this, I would like to again apologize,” wrote Peter Hortensius in a statement emailed to some media members and also published at Lenovo’s website.

“Now, I want to start the process of keeping you up to date on how we are working to fix the problem and restore your faith in Lenovo.”

Controversy about the adware erupted last week after media reports surfaced about Superfish and a growing chorus of security experts warned about the risk of exposing consumers to security risks.

At first, Lenovo said there was no security risk. That statement was later changed, and Lenovo’s own tech advisory on the situation warned that risk was “severe.”

The U.S. Department of Homeland Security joined the fray, warning that Superfish should be uninstalled. (The warning was updated again early Tuesday.)

Hortensius, who is a former IBMer and joined Lenovo when Lenovo acquired IBM’s PC business a decade ago and is based in the Triangle, also granted some media interviews in which he apologized and sought to quell the uproar.

Lenovo issued a number of statements of regret, made available an uninstall tool and later updated that one. Numerous media outlets also published uninstall guides. Microsoft, McAfee and Symantec also joined the fray, offering removal guidance and tools.

The company, which bases most of its operations in China but operates its global executive headquarters in Morrisville, has from the start stated that no adware was pre-installed on any ThinkPad laptops sold to business customers.


WTW coverarge of Superfish controversy:

  • Superfish defends its software
  • Is Lenovo spying on you?
  • Lenovo offers a tool to uninstall Superfish
  • ​Lenovo: We’re no longer installing Superfish

However, Lenovo’s actions have done little to stop the outcry.

So, Monday event, Hortensius apologized again and listed in detail the company’s efforts to correct the problem as well as to restore its tarnished image.

“While this issue was limited to our consumer notebooks and in no way impacted our ThinkPads; any tablets, desktops or smartphones; or any enterprise server or storage device, we recognize that all Lenovo customers may have an interest in where we are and what is next,” he wrote.

“The fact is our reputation touches all of these areas, and all of our customers.  Now, we are determined to make this situation better, deliver safer and more secure products and help our industry address – and prevent — the kind of vulnerabilities that were exposed in the last week.”

The mea culpa also acknowledges that Lenovo was unaware of the security “vulnerability” as Hortensius described it until the media storm broke.

“Beginning in September 2014, we made a decision to ship some of our consumer notebooks with Superfish.  This software frustrated some users without adding value to the experience so we were in the process of removing it from our preloads,” Hortensius wrote.

“Then, we saw published reports about a security vulnerability created by this software and have taken immediate action to remove it. 

“Clearly this issue has caused concern among our customers, partners and those who care about Lenovo, our industry and technology in general.  For this, I would like to again apologize. Now, I want to start the process of keeping you up to date on how we are working to fix the problem and restore your faith in Lenovo.”

The CTO wrote that Lenovo is “developing a concrete plan to address software vulnerabilities and security with defined actions.”

Possible steps include:

 

  • “Creating a cleaner PC image (the operating system and software that is on your device right out of the box);
  • “Working directly with users, privacy/security experts and others to create the right preload strategy quickly;
  • “Soliciting and assessing the opinions of even our harshest critics in evaluating our products going-forward.”

Hortensius also outlined remedial steps Lenovo has taken and insisted that “these actions mean all new products already in inventory will be protected.”

He defended Lenovo’s reactions, insisting that Lenovo had “communicated as rapidly as possible with customers, partners and industry watchers and influencers.  I hope that with every communication, we are better informed and more clear on what is important.”