Superbad: The Superfish Malware
If you own a Lenovo computer, please follow the links below and take immediate steps to protect yourself.
Even if you don’t have a Lenovo, please follow the links to check if you may be compromised from one of the other vectors. I’m including the link to check your status here and below, because it’s important.
You need to check. Right now. Mac or PC, check ALL your browsers.
If you see a “YES” take immediate action. Links to the removal how-to are below.
Crapware and Bad Citizenship
Anyone who’s ever bought a new Windows computer has been frustrated by the “crapware” that comes so helpfully pre-installed. Most of the time you can just elect never to use it or to uninstall it but it’s still there and instead of just using your shiny new computer, you have to spend several hours removing software that is intended to benefit the company — not the user.
You’d think computer sellers wouldn’t want to deliver a unit so riddled with crapware that it’s nearly unusable for the user, but, no. They’re taking the short term profit reaped from pre-installing third party applications over the longer term benefit of happier customers and a more secure computing environment for us all.
Respected companies who ought to be behaving better try to trick users into installing third party applications. Oracle, for example, with its Java updates with check boxes already clicked for toolbars or other applications. Adobe’s Flash updates that do the same thing. They count on users not seeing that check box at all, or else not seeing it until it’s too late. It’s bad citizenship and they should stop doing it.
I expect I’m not the only user who has learned to proceed very carefully with these updates. I scour the dialogue boxes looking for the hidden “opt-in” language or check box. It’s how people end up with toolbars that hijack their web searches. A family member of mine constantly fell prey to such tricks until we had a discussion about how to stop and check for those sneaky, devious, already opted-in crapware elements.
Superfish and Komodia
On February 19th, a security researcher discovered that Lenovo was shipping laptops with an application that not only hid itself but also created a serious security compromise such that traffic over SSL (https:) that we should be able to trust, was, for these computers, not trustable and not safe.
The problem is not limited to Lenovo computers — there are many ways this malware (Lenovo and the other companies involved are denying it’s malware or an exploit, but let’s just call it what it is, which is malware) can get onto your computer. Lenovo simply provided customers with a computer that was compromised out of the box.
You need to check. Right now. Mac or PC, check ALL your browsers.
If you see a “YES” take immediate action.
The EFF has a post here that explains the steps to take to remove Superfish.
Further reading
Robert Grahman’s Extracting the SuperFish certificate post
How to set up a clean Windows install for your new computer. Ironically, the example computer is a Lenovo. It’s a good thing he did this.
Gizmodo also has a how to remove — with some interesting and amusing comments.
Mashable has a list of affected Lenovo models.
I would love it if one week you could explain Java and Javascript and what I actually need my computer to have and what I don’t. I do try to remove all the crapware but I’m not always certain about the difference between things my computer needs to be functional and what is just wasted space.
Very interesting article – agree about all the bloatware that new computers are shipped with. And it is bloody annoying not to be able to remove everything!
And a Java/Javascript article would be enlightening!
Ros, I should probably post about that on my blog. The situation’s evolved a lot since I joined Apple’s Safari team in 2008. (I left Apple in 2013.)
The short version: most people won’t need Java on their desktop systems. (Android devices run on Java, though that’s already handled for you.)
JavaScript is an entirely different language and can be very useful. It can also be used for annoying or harmful purposes, which is one reason why browsers offer several ways to limit JavaScript.
@Ros: Yes please! I’ve been saying no every time I get the pop up box that a Java update is available but should I be?
JSON thank you for this post. Hubby just checked our pc and we are clear. I always enjoy your posts and learn from them, so thank you for joining our community and sharing your knowledge.
Thanks for posting this article. My daughter has a Lenovo Thinkpad, so we’d already checked it on hers (and she didn’t have Superfish.) But I didn’t think to check it on mine. I don’t have it on any of my browsers thankfully, but I still appreciate the warning.
Thanks for the heads-up. Gizmodo has a second article that goes into greater detail about the malware, including which computers are less likely to have it pre-installed. Lenovo didn’t put this on all their computers, just on the low-cost one like the Yoga line (which is still bad enough, obviously). And they point out that computers bought directly from the Microsoft Store won’t have this because Microsoft requires that bloatware be kept off computers it sells. So the Yoga computers bought directly from them shouldn’t have it.
Thank you for blogging about this. I was dismayed since I have a Lenovo Yoga 2 Pro. Luckily, the tests came out negative for all my browsers. I am wondering if one of my antivirus/malware programs removed it without me knowing what it was. But I am still paranoid that I might still be vulnerable. Yikes!
@nasanta: It’s unlikely that your malware software would have removed it, unless it did it in the last 2-3 days. Microsoft issued an update to do just that shortly after the vulnerability was made public on Feb-19.
@Elizabeth Langston: The Thinkpad was not, if I’m recalling correctly, one of the models shipped with Superfish. It’s a higher end computer. But since there are other ways to have ended up with Superfish, it was wise of you to check.
@Ros: I can certainly do a broader post about Java and javascript. Java an actual programming language. Javascript is not, it’s a scripting language used primarily for manipulating how and what you see on web browsers.
If you have Java installed on your computer (because you need it) you should certainly do the updates–this assumes that you are aware of the version of Java required for your use of it. Older versions of Java can and do have vulnerabilities. If you have Java installed and you’re not sure why it’s there, you should still update, and then find out why it’s there and consider removing it. Why have it installed if you don’t need to?
The problem with disabling Javascript in the browser is that so many websites rely on javascript that having it disabled can make your browsing experience pretty terrible. But it’s safer to do so.
Yet another reason I’m thankful for Linux and the NoScript add-on in my Firefox browser. Granted, NoScript is a pain initially, but it’s what alerted me to clickbait on the Asus support pages, of all places.
Thank you for doing this.
@Darlynne: Noscript is a great plugin to consider. Thanks for mentioning it.
Thanks for this information & for presenting it in a way that’s easy to understand. I checked all my family laptops – one of which is Lenovo.
I still don’t quite understand java vs javascript either. I tried disabling java last year and must have disabled javascript instead because my browsers stopped working. Anything more you can share about this would be appreciated.
Thanks for publicising this. Although I am not a security expert, I have enough technical background to know how very bad this is, and will no longer purchase Lenova machines. Like @Darlynne, I run Linux (Ubuntu flavor) as my primary desktop, which means crapware and malware are not something I worry about much personally, but I do provide technical support to friends, so I try to stay up to date with the Windows world.
Seriously, people: this is beyond bad.
I imagine for those users who aren’t tech savvy, this could be pretty disconcerting. But this Superfish software wasn’t something hidden deep within the bowels of the computer. If I went to the Target website and looked up a Kitchen Aid stand mixer, a pop up would appear showing the same item or comparable item and it’s sale price listed at other places on the web. I guess if you never went to one shopping website ever, then maybe it was a big secret. I received my Yoga Pro2 for Christmas and had the software uninstalled and the certificates deleted well before New Years.
Is it crappy they preloaded it on my machine? Yes. But I have a huge hate-on for McAfee as well and that software is preloaded damn near everywhere.