Ed Driscoll

'You Had One Job, Lenovo: And It Didn’t Involve Sneaking Malicious Adware Onto Your Customers’ Computers'

“Quite possibly the single worst thing I have seen a manufacturer do to its customer base. … I cannot overstate how evil this is,” Slate notes:

To recap: Since at least September, Lenovo has been shipping OEM Windows laptops preloaded with Superfish “adware,” which would rudely inject its own shopping results into your browser when you searched on Google, Amazon, and other websites. This sort of behavior is associated more with spyware than with factory-shipped operating-system installs, and by itself would be a new low for Lenovo. But Superfish is more than just pesky. It’s the most virulent, evil adware you could find.

By installing a single self-signed root certificate (trust me: That’s really bad) across all of Lenovo’s affected machines, Superfish intentionally pokes a gigantic hole into your browser security and allows anyone on your Wi-Fi network to hijack your browser silently and collect your bank credentials, passwords, and anything else you might conceivably type there. As Errata Security’s Robert Graham put it, “I can intercept the encrypted communications of SuperFish’s victims (people with Lenovo laptops) while hanging out near them at a cafe wifi hotspot.” If you have a Lenovo laptop that has Superfish on it (try Filippo Valsorda’s Superfish test to see), I would advise nothing short of wiping the entire machine and installing vanilla Windows—not Lenovo’s Windows. Then change all of your passwords.

So ghastly a perversion is Superfish’ self-signed root certificate that many of us have practically been walking around with our jaws on the floor since the news broke Wednesday night. My Facebook wall is filled with outraged profanity from software engineers. Installing Superfish is one of the most irresponsible mistakes an established tech company has ever made. Reckless, careless, and appalling don’t even come close to covering it.

And as Small Dead Animals adds, “Holy crap this is bad. Really bad. As in, next time you’re in a bank take a note of how many of the pieces of hardware are labeled ‘Lenovo’ bad.”