Lenovo notebook computers shipped last fall came pre-installed with a program called Visual Discovery/Superfish that has caused alarm among computer security experts.
Article continues below
Robert Graham, CEO of the U.S.-based computer security firm Errata Security, described Superfish as "adware" that works by injecting JavaScript code into web pages.
"This is known to cause a lot of problems on websites," Graham wrote on his blog. More alarmingly, the software is designed to intercept all encrypted connections, the blog post said, including "things it shouldn't be able to see. It does this in a poor way that leaves the system open to hackers or NSA-style spies."
Security researcher Marc Rogers wrote on his blog that Superfish "uses a 'man-in-the-middle attack' to break secure connections on affected laptops in order to access sensitive data and inject advertising." Because of the way it does this, he added, "users cannot trust any secure connections they make – to any site." Rogers is principal security researcher at the security firm Cloudflare and head of security for the hacking conference Def Con.
Lenovo posted its answer: "At Lenovo, we make every effort to provide a great user experience for our customers. We know that millions of people rely on our devices every day, and it is our responsibility to deliver quality, reliability, innovation and security to each and every customer. In our effort to enhance our user experience, we pre-installed a piece of third-party software, Superfish (based in Palo Alto, CA), on some of our consumer notebooks.
"We thought the product would enhance the shopping experience, as intended by Superfish. It did not meet our expectations or those of our customers. In reality, we had customer complaints about the software. We acted swiftly and decisively once these concerns began to be raised. We apologize for causing any concern to any users for any reason – and we are always trying to learn from experience and improve what we do and how we do it.
"We stopped the preloads beginning in January. We shut down the server connections that enable the software (also in January, and we are providing online resources to help users remove this software. Finally, we are working directly with Superfish and with other industry partners to ensure we address any possible security issues now and in the future.
"To be clear: Lenovo never installed this software on any ThinkPad notebooks, nor any Lenovo desktops or smartphones. This software has never been installed on any enterprise product, servers or storage, and these products are in no way impacted. And, Superfish is no longer being installed on any Lenovo device. In addition, we are going to spend the next few weeks digging in on this issue, learning what we can do better. We will talk with partners, industry experts and our users.
"We will get their feedback. By the end of this month, we will announce a plan to help lead Lenovo and our industry forward with deeper knowledge, more understanding and even greater focus on issues surrounding adware, pre-installs and security. We are eager to be held accountable for our products, your experience and the results of this new effort." ■