Lenovo, a computer company that last year had one-fifth of the world computer market share, had been installing adware on PCs. The adware came pre-installed on new PCs shipped between October and December 2014. It hijacked encrypted sessions, leaving the affected computers vulnerable to attack. The adware uses a fake security certificate called Superfish which can circumvent HTTPS encryption.
Ars Technica has a detailed piece here on the adware and how it works. I recommend giving it a read.
Given the size and scope of Lenovo’s market share, this story was obviously going to be big news. To make matters worse, in a pretty callous statement, Lenovo said that the adware was included “…to help customers potentially discover interesting products while shopping.”
Yeah, right. (Ars actually wrote an article called “Lenovo honestly thought you’d enjoy that Superfish HTTPS spyware” based on that one!)
The company is now backtracking, with Lenovo’s CTO is now saying that “… we didn’t do enough.” There are also promises to wipe Superfish off the affected PCs.
So the company is sorry. Sort of. < /sarcasm>
Lenovo’s complete statement, along with affected model numbers and instructions for removal is here.
Just a couple of days ago, I was eyeing a Lenovo tablet for a upcoming project. I am really glad now that I didn’t make that purchase.
Stay tuned. There is going to be a lot more news on this in the days to come.