Lenovo installed software making laptops vulnerable to hacking

[dud]

"China's Lenovo Group Ltd, the world's largest PC maker, had pre-installed a virus-like software on laptops that makes the devices more vulnerable to hacking, cybersecurity experts said on Thursday.

Users reported as early as last June that a program called Superfish pre-installed by Lenovo on consumer laptops was 'adware', or software that automatically displays adverts.

Robert Graham, CEO of U.S.-based security research firm Errata Security, said Superfish was malicious software that hijacks and throws open encrypted connections, paving the way for hackers to also commandeer these connections and eavesdrop, in what is known as a man-in-the-middle attack.

Lenovo had installed Superfish on consumer computers running Microsoft Corp's Windows, he added. "This hurts (Lenovo's) reputation," Graham told Reuters. "It demonstrates the deep flaw that the company neither knows nor cares what it bundles on their laptops."

An administrator on Lenovo's official web forum said on Jan. 23 that Superfish has been temporarily removed from consumer computers. Lenovo executives were not immediately available for comment during the Lunar New Year holiday in China."







http://www.reuters.com/article/2015/02/19/us-lenovo-cybersecurity-idUSKBN0LN0XI20150219

 

[BarkingGhostar]

Why should this be so surprising. They did it with their own needs first and the consumer's needs last. Besides, it IS a communist country the company is in. They should change their name to Leninov.

 

[some_guy]

There might be an opportunity to market computers with a trusted install of both BIOS and OS.

 

[dud]

Why should this be so surprising. They did it with their own needs first and the consumer's needs last. Besides, it IS a communist country the company is in. They should change their name to Leninov.

Who said anyone was surprised? If I were an owner ANY computer manufactured by Lenovo I would at the very least be greatly concerned.

The Chinese Government has at least some influence on the company. You buy at your own risk.

Whats to be surprised about? Just being informative ...

 

[Anteaus]

I love my Lenovo machines but all the bloat that Lenovo installs has been a lasting criticism. The fact that they got caught with their pants down only reaffirms that they aren't considering all eventualities. I'll keep buying their hardware, but it also means I'll keep doing clean installs when they come out of the box.

 

[BSim500]

First thing anyone should do with a new modern laptop is download all the required drivers to a USB stick, remove the HDD, put an SSD in and reinstall from scratch.

 

[SOFTengCOMPelec]

http://lifehacker.com/how-to-test-your-pc-for-the-new-superfish-security-vu-1686788663

Security researchers have discovered a vulnerability in a piece of adware called Superfish that makes your computer vulnerable to all kinds of attacks. Superfish ships preloaded on many Lenovo computers, but can also be installed on any machine. Here's what's going on and how to test if you're infected.


Lenovo Installs Adware on New Computers That Could Steal Private Data [Update]
Oh no, Lenovo. Users are reporting on the company's forums that its computers are coming…
Read more gizmodo.​com
What Superfish Is

Superfish is basically your run-of-the-mill adware software, but with some big security holes. Lenovo pre-installed it on some computers sold between October 2014 and December 2014, but any Windows computer can be infected. At its core, Superfish is meant to place advertisements in your web browser. The problem is that the software also intercepts encrypted traffic, which opens up your computer to man-in-the-middle attacks (which work similar to the Heartbleed security bug from last year).

Not only that, but Superfish also intercepts HTTPS connections. A post over at Errata Security shows that that the HTTPS certificate is incredibly easy to crack, which makes you even more vulnerable. For example, security research Chris Palmer found that when he visited Bank of America's web site on a computer with Superfish installed, the bank's certificate was signed by Superfish rather than VeriSign. This means attackers could use the certificate to create fake HTTPS web sites that grab your passwords, or even create viruses that are "signed" to look legitimate. Update: Lenovo's released a list of affected machines here, but it's still worth following the instructions below just to double-check.

 

[corkyg]

A related post is in Security - http://forums.anandtech.com/showthread.php?t=2421597

 

[pcgeek11]

I love my Lenovo machines but all the bloat that Lenovo installs has been a lasting criticism. The fact that they got caught with their pants down only reaffirms that they aren't considering all eventualities. I'll keep buying their hardware, but it also means I'll keep doing clean installs when they come out of the box.

I thought everybody did that anyway! I always image the original drive before even booting it up. Then clean install the OS of My choice...

No demons.