Viewing 18 posts - 1 through 18 (of 18 total)
  • PSA: bought a Lenovo recently?
  • Cougar
    Full Member

    You may have heard of “Superfish” as it’s the latest Panic Du Jour in the media, but there’s a lot of nonsense going about. Here’s the bottom line.

    If you’ve bought a consumer (ie, not business) Lenovo computer in the last five months, it probably came with some software called Superfish. Lenovo stopped bundling it in December, but those machines will probably have continued to sell for a while.

    This software is supposed to be some sort of image-based search tool, but the way it operates presents a very real security risk. Whilst it’s not technically malware per sé, it uses some pretty nefarious tactics.

    I’d urge you (if you’ve got a recent Lenovo) to check for its presence and uninstall it if you find it. Moreover, you also need to remove a component it leaves behind. There’s full instructions on Sophos’s blog site here.

    If you want a sensible technical overview of what it’s doing there’s a great article on their site too, here.

    midlifecrashes
    Full Member

    Lenovo Z50 here, bought October. I don’t have it, though I did uninstall a few bits of bloatware straight away without noting what they were, so it may have been there, I don’t remember it though.

    Ta for the heads-up anyway.

    Cougar
    Full Member

    If you’re not sure, check the removal link in my OP and see if their certificate is installed. If anything, that’s the more serious risk and an uninstall won’t remove it.

    The certificate on your PC basically says “trust anything from Superfish.” The problem is that their private key has been compromised so the ability to go “hi, I’m Superfish” is trivial. So any website could go “here’s something dangerous, but it’s ok, it’s certified by Superfish” and your computer / web browser will just go “oh, ok then.”

    Fresh Goods Friday 696: The Middling Edition

    Fresh Goods Friday 696: The Middlin...
    Latest Singletrack Videos
    fasternotfatter
    Free Member

    If you go for cheap chinese junk this is what happens.

    Cougar
    Full Member

    Yeah, but Aston Martin stopped making laptops a while ago.

    midlifecrashes
    Full Member

    If you go for cheap chinese junk this is what happens.

    I haven’t had a UK built computer since Apricot went under in the 90s, how about you?

    Anyway, certificate list checked, it’s not lurking in there. I’m going to try not to worry that I recognise very few of what’s in there though.

    allthepies
    Free Member

    check.

    No fish installed though 🙂

    Solo
    Free Member

    **has a lenovo**
    🙁

    fasternotfatter – Member If you go for cheap chinese junk this is what happens
    Bit harsh. I bought because Dell no longer offered what I had always purchased from them, in the past, ie, flexible specs.

    Cougar
    Full Member

    Good machines, generally.

    jambourgie
    Free Member

    I bought a Lenovo in October. I searched for ‘Superfish’, and the only instance was superfish.js in a WordPress theme I’d downloaded.

    Will I die?

    Edit: Now that I think of it I formatted it when I got it to get rid of all the shite, and re-installed Windows. So I probably won’t die.

    allthepies
    Free Member

    Ignore the haterz

    Solo
    Free Member

    Oh, thanks for the PSA, btw.

    mogrim
    Full Member

    I bought mine in January, already checked and it was clear. Utter stupidity on Lenovo’s part, wonder what on earth they were thinking???

    JohnnyPanic
    Full Member

    ^ Indeed. Looks like they thought they were just adding a form of adware and weren’t aware of the security hole it created (or so they say).

    This is everywhere on the web at the moment and Lenovo’s rep has been seriously damaged.

    Lenovo Yoga 2-13 here, bought end of November ’14 on a VAT back offer.
    Lovely lovely machine, came with Superfish, now removed, certificate & all.

    It also had a wifi glitch the first weekend I had it. Wifi turned itself off & wouldn’t turn back on. Fortunately there was a BIOS release available in November that fixed it. Pity the poor sods that had had one for months.

    Still a lovely machine, but I would have to think seriously about buying another Lenovo.

    Cougar
    Full Member

    Looks like they thought they were just adding a form of adware and weren’t aware of the security hole it created (or so they say).

    I was thinking about this earlier and I do wonder how much they were actually aware. If Superfish said to them, “hey, we’ve got this great program which helps people search for things and we’ll give you a load of money if you include it” I can sort of see why they might agree to it.

    That said, I’ve have thought that Lenovo would have an evaluation procedure that any software would be subject to. I’m quite surprised that this wouldn’t have been picked up, any piece of third party software carries an inherent risk. Would they have noticed a keylogger, a rootkit?

    I’d hope that this was down to incompetence at that level, and that they take steps to prevent it from happening again. If they knew, that’s a whole other level.

    monkeysfeet
    Free Member

    Bought the mum in law a Yoga Tablet for Xmas. Are these affected or is it just laptops?

    Cougar
    Full Member

    No idea. If it’s running Windows then it’s entirely possible.

    paul4stones
    Full Member

    I got a little 10.5″ laptop in November I think. It’s clear.

Viewing 18 posts - 1 through 18 (of 18 total)

The topic ‘PSA: bought a Lenovo recently?’ is closed to new replies.