Advertisement
Advertisement
Lenovo
Get more with myNEWS
A personalised news feed of stories that matter to you
Learn more
Lenovo has stopped selling products with pre-installed adware. Photo: Reuters

Lenovo stops sales of laptops with pre-installed ‘Superfish’ adware after customer uproar

Mainland personal computer giant says it has stopped shipping laptops with controversial Superfish adware and is now offering online support

Lenovo

Mainland computer giant Lenovo has moved to quash a growing controversy over adware pre-installed on millions of its laptops after experts declared it a serious security threat.

Lenovo, the world's largest supplier of personal computers, said it stopped shipping products with the Superfish software last month and was now offering technical support online with step-by-step instructions on how to uninstall it.

The company, which has its headquarters in Beijing and operations in more than 160 countries, vowed not to preload the software on any product in the future. "We know that users reacted to this issue with concern, and so we have taken direct action to stop shipping any products with this software," it said.

"We will continue to review what we do and how we do it in order to ensure we put our user needs, experience and priorities first."

The Superfish visual discovery adware pushes third-party advertisements into Google searches and websites without the computer user's permission.

The technology was adopted by Lenovo under a partnership with a US-based software start-up, Superfish, that pioneered visual search technology.

"The relationship with Superfish is not financially significant; our goal was to enhance the experience for users," Lenovo said. "We recognise the software did not meet that goal and have acted quickly and decisively."

Global personal computer shipments last year totalled 308.6 million units, with Lenovo accounting for 59.2 million, according to research firm IDC.

Marc Rogers, the principal security researcher at US firm CloudFlare, said in a blog post that Superfish used a "man-in-the-middle" attack to break secure connections on affected laptops to access sensitive data and inject advertising.

"As if that wasn't bad enough, they installed a weak [security] certificate into the system in a way that means affected users cannot trust any secure connections they make to any site," Rogers said. "In this current climate of rising cybercrime, if you can't trust your hardware manufacturer, you are in a very difficult position."

Lenovo said Superfish was not installed on its premium, Thinkpad-brand business notebook computers. The technology was also never preloaded on its desktop computers, smartphones or tablets.

According to Lenovo, the affected products include certain models under its G, U, Y, Z, S, E, Miix, Flex and Yoga-series laptops shipped between September and December last year.

In a blog post, Errata Security chief executive Robert Graham said the Superfish software was "designed to intercept all encrypted connections, things it shouldn't be able to see".

"It does this in a poor way that it leaves the system open to hackers or NSA-style spies. For example, it can spy on your private bank connections," Graham said.

He said the earliest-known Lenovo user postings about the company's add-on software appeared in June. Lenovo shipped more than 16 million laptop and desktop machines in the fourth quarter of last year, with laptops accounting for 52.1 per cent of its revenue.

Chris Palmer, a software security engineer at Google, was credited with noticing the implications of the adware after buying a Lenovo laptop in San Francisco.

Lenovo said Superfish technology did not profile or monitor user behaviour.

Rogers, however, said Superfish's software had quite a reputation. "It is a notorious piece of adware, malicious advertising software," he said.

 

This article appeared in the South China Morning Post print edition as: LENOVO ACTS OVER SECURITY STORM
Post