Reuters reports that the US Department of Homeland Security has advised Lenovo customers to remove "Superfish" software from their computers. According to an alert released through its National Cyber Awareness System, the software makes users vulnerable to SSL spoofing and could allow a remote attacker to read encrypted web browser traffic, spoof websites, and perform other attacks on Lenovo PCs with the software installed.
Lenovo inititally said it stopped shipping the software because of complaints about features, not a security vulnerability. "We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns," the company said in a statement to Reuters early on Thursday. On Friday, Lenovo spokesman Brion Tingler said the company's initial findings were flawed and that it was now advising customers to remove the software and providing instructions for uninstalling "Superfish". "We should have known about this sooner," Tingler said in an email. "And if we could go back, we never would have installed this software on our machines. But we can't, so we are dealing with this head on."
[Editor's Note: For background information on this threat, Ars Technica has coverage here, here, here, and here.]
(Score: 5, Interesting) by frojack on Saturday February 21 2015, @06:06PM
Returning Computers to the store is WORSE advice than taking your car in for a recall.
You're suggesting everyone who purchased a Lenovo hand all their data to some local retailer, who in turn hands it over to Lenovo, which is located in China. Nice windfall for them. Customer is left without both their data AND their computer. Thanks a lot buddy.
Fortunately the Government isn't that stupid, and knows that removing all traces of sensitive data from a computer is a tougher job then the average housewife can handle, and doesn't make such silly mandates.
The automatic removal tool and/or the manual removal steps [lenovo.com] are simple enough, and Microsoft Security Essentials (which also comes pre-installed) will remove it for you.
A nice fat fine for Lenovo is all that is required here.
No, you are mistaken. I've always had this sig.
(Score: 2) by fritsd on Saturday February 21 2015, @06:56PM
Hm.. good point.. to continue the car analogy, it is advised to first take your child out of the car before you bring the latter to the garage for recall. Unfortunately your computer doesn't protest as loudly when you bring it back to the shop where you bought it.
And one of the first things you'd want to do with a new computer is put all the stuff from the old computer on it, so what you describe is probably quite common.
So what's the solution? Some local company that specializes in trusted wiping of computers? (Fee to be sent to Lenovo) and then return it to the retailer?
(Score: 2) by frojack on Saturday February 21 2015, @07:08PM
The solution was pointed out in my first reply. Maybe re-read that?
Remove the malware, and get on with your life.
No, you are mistaken. I've always had this sig.
(Score: 3, Interesting) by JNCF on Saturday February 21 2015, @08:14PM
Well if we're going to be statists about the thing, the recall could simply instruct consumers on how to remove their hard-drives. I don't know how difficult that would be on the affected models, but on my ThinkPad it's about as difficult as swapping out batteries on a normal consumer device. You'll need a screwdriver, but it's a world of difference from trying to wipe the thing clean before returning it. Let Lenovo eat the cost of not getting their hard-drives back.