Microsoft Steps In To Clean Up Lenovo's Superfish Mess -- While Lenovo Stumbles And Superfish Remains Silent
from the the-cleaner dept
As we've been noting, both Lenovo and Superfish have been bungling their way through the response to the fact that they introduced a massive security hole in the way that Superfish's adware/malware dealt with HTTPS protected sites (by using a self-signed root certificate that was incredibly easily hacked, allowing basically anyone to create a simple man in the middle attack). Lenovo has been going through the motions, first insisting there was no security concern, then arguing that the concerns were theoretical and then quietly deleting its statement about the lack of security problems with Superfish. It also posted some instructions on removing both the software and the root certificate, and promised to have an automated system soon.Superfish, on the other hand, has remained almost entirely silent. It gave some reporters bland statements insisting that there was no security risk, that it "stood by" Lenovo's statement, and insisted that Lenovo would come out with a statement that showed Superfish was not responsible for any of this mess. It also insisted that the company was fully "transparent" in how its software worked, but that's clearly not the case, because nowhere do they say "we create a massive man in the middle attack just so we can insert advertising images into your HTTPS surfing." At the time of writing this, Superfish appears to have nothing on its website about all of this. Its Twitter feed's last post, from yesterday mid-day simply says that Lenovo "will be releasing detailed information at 5 p.m. EST today."
In the end, while Lenovo and Superfish are flailing around, it was left to Microsoft to come in and clean up the mess, pushing out a Superfish Fix to its Windows Defender product:
Microsoft just took a major step towards rooting out the Superfish bug, which exposed Lenovo users to man-in-the-middle attacks. Researchers are reporting that Windows Defender, Microsoft's onboard anti-virus software, is now actively removing the Superfish software that came pre-installed on many Lenovo computers. Additionally, Windows Defender will reset any SSL certificates that were circumvented by Superfish, restoring the system to proper working order. It's a crucial fix, as many security professionals had been struggling to find a reliable method for consistently and completely undoing the harmful effects of the bug. To make sure the fix takes effect, any Superfish-affected Windows users should update their version of Windows Defender within the program and scan as soon as possible.Perhaps it's not surprising that Superfish is struggling to figure out how to deal with this sudden attention as a smaller company, but Lenovo should have been on top of this issue much, much faster.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: adware, malware, superfish, windows defenders
Companies: komodia, lenovo, microsoft, superfish
Reader Comments
Subscribe: RSS
View by: Time | Thread
When your product makes it onto the list of malware removed by common virus/malware protection software.
[ link to this | view in chronology ]
Lenovo makes two calls...
Lenovo calls Micro$oft: How much would it cost us for you to clean up "Superfish's" mess? Oh, 1 Million, ok, I'll get a wire transfer to you ASAP.
[ link to this | view in chronology ]
Re: Lenovo makes two calls...
[ link to this | view in chronology ]
how to know you're up the scatalogical creek
[ link to this | view in chronology ]
Lenovo - pad problem
If you live in Southeast Florida Advanced business computers is a great source for help. Computer network repair, printer and copier maintenance repairs, leasing and supplies.
[ link to this | view in chronology ]
Re: Lenovo - pad problem
[ link to this | view in chronology ]
I miss the real Thinkpads...
Thinkpads used to be real machines, built for professionals. Today they feature cheap construction, shitty design and a bunch of crapware. Lenovo has it's head so far up it's own ass that they actually believe doubling down on the Superfish issue to be the right answer. What Lenovo needs to do is apologize, fire the dumbasses responsible for fucking up the Thinkpad brand and get on with building a proper line of laptops for people trying to do some real work. Otherwise, GTFO...
It's a sad day when the Dell M4500 (business class) is superior in every way to Thinkpads.
[ link to this | view in chronology ]
Re: I miss the real Thinkpads...
[ link to this | view in chronology ]
Re: Re: I miss the real Thinkpads...
[ link to this | view in chronology ]
Re: Re: I miss the real Thinkpads...
[ link to this | view in chronology ]
Anyone want to guess . . .
[ link to this | view in chronology ]
Re: Anyone want to guess . . .
[ link to this | view in chronology ]
Re: Anyone want to guess . . .
Anything targeting a government agency would be backdoored in a more subtle way, e.g. at the firmware level.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
"...proactive measures such as certificate pinning in Google Chrome will not alert users in cases like this because it doesn’t validate certificates chained to a private anchor."
https://blog.digicert.com/lenovos-superfish-adware-perils-self-signed-certificates/
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
In this particular case, the idea behind this software, i tip my hat microsoft.
[ link to this | view in chronology ]
Re: Re:
If in the off chance you might want to know how i would ever be a customer, or a supporter, then open source, open hardware and an ideaology i can get behind that your not afraid to express........now, i dont expect it, but i'd thought i'd offer it anyway, good faith gesture in response to my respect for the idea behind this software......thats what it takes, a small thing here, a small thing their, next thing you know, even the most elite hackers, either ethical hobbyist or evil imperialists, are hard pressed to find ANY vulnrabilities, or at LEAST the ones that are known are patched.......maybe in future........
[ link to this | view in chronology ]
Who'd have thought the day would come...
Hell has indeed frozen over.
[ link to this | view in chronology ]
Re: Who'd have thought the day would come...
[ link to this | view in chronology ]
Re: Re: Who'd have thought the day would come...
Some people keep saying that, but I have yet to see the evidence.
[ link to this | view in chronology ]
Re: Who'd have thought the day would come...
[ link to this | view in chronology ]
Unbundle...
[ link to this | view in chronology ]
Re: Unbundle...
You can't really get more bare-bones than that.
[ link to this | view in chronology ]
Re: Re: Unbundle...
[ link to this | view in chronology ]
Re: Re: Unbundle...
[ link to this | view in chronology ]
When I install my own certificate I wouldn't want Microsoft to be able to tamper with it. And if it couldn't it also couldn't touch Superfish's.
I should switch to Linux soon.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
What's scarier to me is that Lenovo has this much power over your machine.
[ link to this | view in chronology ]
14% of the people working their have PhDs. If they are a bunch of straight-talking geniuses, how did they ship such a piece of crap software?
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
Asked and answered. (First sentence).
[ link to this | view in chronology ]
The Sony Rootkit scandal demonstrated which antivirus companies put consumers first and which ones put corporate interests first. Kaspersky immediately disabled Sony's Rootkit, while on the other end of the scale, Symantec refused to classify Sony's rootkit code as malware. It was not until perhaps a week or two later, after receiving much criticism, that Symantec finally relented and had it's AV products remove Sony rootkit.
This was no surprise, since Symantec had a long history of whitelisting corporate malware, such as Cydoor, Gator, and many other spyware programs that often came bundled with free software.
[ link to this | view in chronology ]
Perhaps they should have gotten a much more trustworthy company to release if for them... maybe Comcast.
[ link to this | view in chronology ]
Istt that cause for much more concern, than that whole superfish debacle?
[ link to this | view in chronology ]