There is another article about the Lenovo/Superfish debacle on Silicon Beat that looks at what this application is supposed to do, and what it actual is doing, and a bit into what it could do if it so chooses. None of it sounds all that great and some of it is scary.
Superfish is supposed to allow users to take a picture, submit it to Superfish, and Superfish will search the web for a close match and return the results to you. I suppose this comes in handy if you are searching for the pair of pants you can’t find or live without. The CEO of Superfish Adi Pinhas denies the program is a security risk.
“Pinhas said the software installation was “to provide users with real-time price comparisons as they were shopping online.”
But in order to show these Superfish-generated ads, Lenovo has been breaking all encrypted traffic for millions of customers.
Business Insider described how this security flaw works: “Secure websites — like a bank, or a form for entering passport details — will have a security certificate, which proves to your browser that the site is who it says it is. These certificates stop rogue sites and hackers impersonating trusted websites and stealing your sensitive details. Superfish also inserts ads into these secure web pages, and it does so by installing a new certificate authority onto users laptops.”
Several experts have said Superfish is responsible for producing fake certificates; Superfish says Komodia is responsible. But Superfish also recognized there was a problem a while back, according to Pinhas.”
I removed this pest from my partner’s new Lenovo laptop yesterday. Use these instructions from Sophos to do likewise.
More Info: Silicon Beat and SophosShare
About the Author:I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com