in Check It Out, Meddling, X-Geek

Lenovo shipping laptops with pre-installed adware that kills HTTPS | CSO Online

Whoops. Lenovo shipped computers with adware that breaks ALL SSL on its laptops. Not only that, but the private key is also widely available, meaning anyone can spoof any website on an unsuspecting Lenovo owner’s computer. Major security fail!

Lenovo is in hot water after it was revealed on Wednesday that the company is shipping consumer laptops with Superfish Adware pre-installed. Security experts are alarmed, as the software performs Man-in-the-Middle attacks that compromises all SSL connections.

It’s a fact of life; PC manufacturers are paid to install software at the factory, and in many cases this is where their profit margin comes from. However, pre-installed software is mostly an annoyance for consumers. Yet, when this pre-installed software places their security at risk, it becomes a serious problem.

via Lenovo shipping laptops with pre-installed adware that kills HTTPS | CSO Online.

Update: More technical info here and here.

  1. “Superfish inserts a certificate into the certificate store. According to Chris Palmer from the Google Chrome security team, and others, Superfish installs a certificate in the Windows Certificate Store. That certificate means that a web browser browsing to, say, http://www.bankofamerica.com/ will silently have its secure connection decrypted by Superfish, inspected for suitability of advertisements, and then a new encrypted connection will be made from the Superfish process to Bank of America. Likewise, the web page sent back by Bank of America might have advertisments inserted into the HTML by Superfish.

    It is hard to overstate how catastrophically bad this design is. It doesn’t merely insert advertisements into web pages. It undermines every secure connection the Windows computer might make.”

Comments are closed.