February 19, 2015 Last Updated 4:24 pm

Electronic Frontier Foundation calls Lenovo Superfish installation ‘a massive security catastrophe’

The customers of low-end Lenovo laptops are probably not the most likely to be up to speed with technology. That makes the fact that Lenovo laptops contain Superfish software all the worst.

In case you haven’t heard, several tech website have been reporting that Lenovo laptops are coming preloaded with software called Superfish, adware that messes with Windows cryptographic security. The result is what is called man-in-the-middle attacks that use the computer’s browser to deliver advertising. Low-end PCs often come with unwanted software, pre-installed onto the PC by the company as an added revenue stream for them.

Lenovo-sgBut Superfish is being called by the Electronic Frontier Foundation (EFF) a serious security problem.

“Lenovo has not just injected ads in a wildly inappropriate manner, but engineered a massive security catastrophe for its users,” the EFF said. “The use of a single certificate for all of the MITM attacks means that all HTTPS security for at least Internet Explorer, Chrome, and Safari for Windows, on all of these Lenovo laptops, is now broken.”

“If you access your webmail from such a laptop, any network attacker can read your mail as well or steal your password. If you log into your online banking account, any network attacker can pilfer your credentials. All an attacker needs in order to perform these attacks is a copy of the Superfish MITM private key.”

Lenovo has reacted to the negative publicity by issue a statement saying “user feedback was not positive, and we responded quickly and decisively.”

“We know that users reacted to this issue with concern, and so we have taken direct action to stop shipping any products with this software. We will continue to review what we do and how we do it in order to ensure we put our user needs, experience and priorities first.”

Lenovo said that the laptops shipped between September and December of last year contained the pre-installed software, and that the company stopped preloading the software in January.

Comments are closed.