Microsoft Steps In To Clean Up Lenovo's Superfish Mess -- While Lenovo Stumbles And Superfish Remains Silent

from the the-cleaner dept

As we've been noting, both Lenovo and Superfish have been bungling their way through the response to the fact that they introduced a massive security hole in the way that Superfish's adware/malware dealt with HTTPS protected sites (by using a self-signed root certificate that was incredibly easily hacked, allowing basically anyone to create a simple man in the middle attack). Lenovo has been going through the motions, first insisting there was no security concern, then arguing that the concerns were theoretical and then quietly deleting its statement about the lack of security problems with Superfish. It also posted some instructions on removing both the software and the root certificate, and promised to have an automated system soon.

Superfish, on the other hand, has remained almost entirely silent. It gave some reporters bland statements insisting that there was no security risk, that it "stood by" Lenovo's statement, and insisted that Lenovo would come out with a statement that showed Superfish was not responsible for any of this mess. It also insisted that the company was fully "transparent" in how its software worked, but that's clearly not the case, because nowhere do they say "we create a massive man in the middle attack just so we can insert advertising images into your HTTPS surfing." At the time of writing this, Superfish appears to have nothing on its website about all of this. Its Twitter feed's last post, from yesterday mid-day simply says that Lenovo "will be releasing detailed information at 5 p.m. EST today." Except, it did not. That's about when it modified its original "nothing to see here" statement, with instructions on how to remove Superfish. It did not, as Superfish had previously told journalists, include a statement "with all of the specifics that clarify that there has been no wrongdoing on our end." In fact, it still looks very much like there was tremendous wrongdoing on the part of Superfish in the way it decided to implement its technologies. And that's not even getting into Superfish's sketchy history.

In the end, while Lenovo and Superfish are flailing around, it was left to Microsoft to come in and clean up the mess, pushing out a Superfish Fix to its Windows Defender product:

Microsoft just took a major step towards rooting out the Superfish bug, which exposed Lenovo users to man-in-the-middle attacks. Researchers are reporting that Windows Defender, Microsoft's onboard anti-virus software, is now actively removing the Superfish software that came pre-installed on many Lenovo computers. Additionally, Windows Defender will reset any SSL certificates that were circumvented by Superfish, restoring the system to proper working order. It's a crucial fix, as many security professionals had been struggling to find a reliable method for consistently and completely undoing the harmful effects of the bug. To make sure the fix takes effect, any Superfish-affected Windows users should update their version of Windows Defender within the program and scan as soon as possible.

Perhaps it's not surprising that Superfish is struggling to figure out how to deal with this sudden attention as a smaller company, but Lenovo should have been on top of this issue much, much faster.

Filed Under: adware, malware, superfish, windows defenders
Companies: komodia, lenovo, microsoft, superfish

Lenovo CTO Claims Concerns Over Superfish Are Simply 'Theoretical'

from the find-a-new-cto dept

Lenovo keeps making things worse. First it installed crappy Superfish malware/adware on a bunch of its computers. That was bad enough. But the real problem was that in a clever little "hack" to get around the fact that the adware wouldn't work on HTTPS enabled pages, Superfish installed its own self-signed root certificate to basically create a massively dangerous man-in-the-middle attack to snoop on what you were doing on those HTTPS pages. Oh, and to make it even worse, the company made sure that everyone who had this Superfish self-signed root certificate had the exact same certificate with an easily cracked password, so that a massive and easily exploited vulnerability is in place in tons of machines out there. And Lenovo's first response was to insist there was no evidence of any security concerns. It later, quietly, deleted that statement, but still seems to be unwilling to admit what an incredibly dangerous situation it has created.

In fact, the company is still in denial mode. Lenovo's CTO, Peter Hortensius, was interviewed by the WSJ, and he insisted that any threats were "theoretical."

WSJ: There seems to be a disparity between what security researchers are saying about the potential dangers of this Superfish software, and what the company has said about this app not presenting a security risk.

Hortensius: We’re not trying to get into an argument with the security guys. They’re dealing with theoretical concerns. We have no insight that anything nefarious has occurred. But we agree that this was not something we want to have on the system, and we realized we needed to do more.

Fire your CTO, Lenovo. Fire your marketing people. Fire your security team. This is a disaster. In our first post, we compared it to the Sony rootkit fiasco from a decade ago, while noting the security risk here is much, much greater. And, so far, Lenovo appears to be playing straight from the Sony rootkit response playbook. If you don't recall, after security folks pointed out what a security disaster the rootkit was, Sony's response was to dismiss the concerns as... theoretical:

"Most people, I think, don't even know what a rootkit is, so why should they care about it?"

In both cases, these technologies opened up giant, massive vulnerabilities on people's computers. In both cases, they were easily exploitable (in the Lenovo case, much, much, much more easily exploitable in a much, much, much more nefarious way). And, in both cases, senior execs from the company tried to handwave it away because they don't know if anyone abused these problems. This ignores that (1) it's quite possible people have been abusing these vulnerabilities for months and it's just not public yet, and (2) more importantly, it doesn't fucking matter because the vulnerability is still there and easily exploitable by lots and lots of people now because it's widely known.

Handwaving this off as a "theoretical" concern is not just missing the point -- it suggests a fundamental lack of understanding about rather basic security practices. As I mentioned earlier, I've been a very loyal Thinkpad buyer for years (though, thankfully, the machine I bought a couple months ago wasn't one infected this way). Every time I've dabbled with other laptops I've regretted it. But Lenovo's response to this is very quickly convincing me that the company should never get any more money from me. It's not just the initial screwup in preinstalling such a security mess, but the completely ridiculous response to it that suggests a company that still doesn't recognize what it has done.

Filed Under: certificate, danger, peter hortensius, security, self-signing, superfish
Companies: komodia, lenovo, superfish

Lenovo Quietly Deletes That Bit About 'No Security Concerns' To Superfish... While Superfish Says 'No Consumers Vulnerable'

from the own-it dept

Wednesday night, the security world blew up with the news (which had actually been out there for a while), that the adware/malware Superfish that Lenovo had been installing by default on many laptops included a massive and dangerous security vulnerability by installing its own, self-signed root HTTPS certificate, and then basically mounting a man in the middle attack on every single HTTPS connection -- and doing so with an easily hacked certificate, creating a giant vulnerability for anyone owning one of those laptops. We were shocked at the tone-deafness of Lenovo's initial response, which didn't even name which laptops Superfish was installed on, and made this blatantly bullshit statement:

We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns.

However, within hours, Lenovo had quietly updated its statement to remove that line. The company is now also (finally) admitting which laptops were infected and put together a page about how to remove the software and the rogue certificate. That's better, but Lenovo should at least apologize, which it has not done, and admit that it was completely full of shit in insisting that there was no security concern.

Speaking of which, Superfish has remained remarkably quiet as well. At the time I write this, there is nothing about this on its website, and it's only given a ridiculously misleading statement to reporters:

Superfish has not been active on Lenovo laptops since December. We standby this Lenovo statement: http://news.lenovo.com/article_display.cfm?article_id=1929.

It is important to note: Superfish is completely transparent in what our software does and at no time were consumers vulnerable—we stand by this today. Lenovo will be releasing a statement later today with all of the specifics that clarify that there has been no wrongdoing on our end.

First of all, at the time it "stood by" the Lenovo statement, that statement was blatantly false in claiming that there were no security concerns. Similarly, it's simply not at all true that Superfish is "completely transparent" because no one knew that it was inserting its own self-signed certificate and using it on every HTTPS connection. Furthermore, consumers absolutely were vulnerable.

Finally, there's Komodia. As Robert Graham discovered when he hacked the Superfish certificate, the password is "komodia" which just happens to be a company that sells a product for... creating these kinds of man in the middle attacks on HTTPS connections, mainly for parental spyware. The company is also entirely silent on this stuff. Its website looks like it hasn't been updated recently. It has various blogs and a Facebook page, none of which appear to have been updated since 2013.

However, as security researchers are discovering, Komodia's tool is being used in other crappy spyware/malware and always in the same terrible manner -- all using the password "komodia." As Marc Rogers notes:

What does this mean? Well, this means that those dodgy certificates aren’t limited to Lenovo laptops sold over a specific date range. It means that anyone who has come into contact with a Komodia product, or who has had some sort of Parental Control software installed on their computer should probably check to see if they are affected.

This problem is MUCH bigger than we thought it was.

The software known to use Komodia are Komidia's own "Keep My Family Secure," Qustodio's parental control software and the Kurupira Webfiler -- all of which likely are very vulnerable thanks to this idiotic implementation.

Lenovo, Superfish and Komodia all have done a piss poor job taking responsibility for the massive security vulnerability they created.

Filed Under: privacy, security, superfish, vulnerability
Companies: komodia, lenovo, superfish

Lenovo In Denial: Insists There's No Security Problem With Superfish -- Which Is Very, Very Wrong.

from the so-long-and-thanks-for-all-the-superfish dept

Late last night, people started buzzing on Twitter about the fact that Lenovo, makers of the famous Thinkpad laptops, had been installing a really nasty form of adware on those machines called Superfish. Many news stories started popping up about this, again, focusing on the adware. But putting adware on a computer, while ethically questionable and a general pain in the ass, is not the real problem here. The problem is that the adware in question, Superfish, has an astoundingly stupid way of working that effectively allows for a very easy man in the middle attack on any computer with the software installed, making it a massive security hole that is insanely dangerous.

Lenovo's response? Basically to shrug its shoulders and say it doesn't understand why anyone's that upset. This is because whoever wrote Lenovo's statement on this is completely clueless about computer security.

We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns.

Bullshit. That's really the only response that should be said to that line. Lenovo focuses on the reasons why many people normally hate adware: that it tracks what you're doing and sends info back to third parties. That's not what Superfish does, so Lenovo doesn't see what the big deal is. Superfish, which was just recently ranked 64th by Forbes in its list of "Most Promising American Companies," tries to watch what you're surfing, and when you see certain images, the service injects other offerings for similar (or the same) products. In theory, if one chose to use such a product, you could see why it could be useful. But automatically putting it on computers is a different thing all together.

The real problem is in how Superfish deals with HTTPS protected sites. Since, in theory, it shouldn't be able to see the images on those sites, it appears that Superfish came up with what it must have believed was a clever workaround: it just installs a root HTTPS certificate, that it signs itself, to pretend that any HTTPS page you're visiting is perfectly legitimate. For many years, we've pointed out why the HTTPS system with certificate authorities is open to a giant man in the middle attack via any certificate authority willing to grant a fake certificate -- and here we basically have Lenovo enabling this questionable company to go hogwild with this exact kind of MITM attack. Basically, EVERY SINGLE HTTPS SITE that you visit was a victim of this kind of MITM attack -- solely for the purpose of interjecting Superfish ads. In fact, some have suggested it could apply to VPNs as well. Basically this is a massively dangerous security hole with wide ranging implications. And Lenovo says they don't see why.

And, even beyond that, it's implemented incredibly stupidly -- in a way that is ridiculously dangerous. That's because it appears that the private key use for the Superfish certificate is the same on basically every install of this software. And it didn't take very long at all for security folks, such as Robert Graham, to crack the password, meaning that it's now incredibly easy to get access to information someone thinks is encrypted. As Graham notes, the password is "komodia" which just so happens to also be the name of a company that "redirects" HTTPS traffic (for spying on kids and such).

This is a massive and ridiculous security threat, and Lenovo is completely brushing it off as nothing big. As many have noted, people have been complaining about the adware components of the software for months now, and Lenovo announced that it was stopping installs, because some people didn't like the way the software created popups and such -- but with no mention of the massive security problems. And, even now, the company doesn't seem willing to admit to them.

Furthermore, the company doesn't even seem willing to say what machines it installed them on, or provide people with instructions on how to protect themselves (simply uninstalling Superfish won't do it). This is a huge mess. I've personally been a very loyal Lenovo Thinkpad customer for years, having bought many, many laptops. In fact, just a couple months ago -- right in the middle of the period of when Superfish was being preloaded -- I bought a new Thinkpad laptop, though it appears that mine is not one that includes Superfish. Still, Lenovo created a huge and dangerous mess, and they don't seem to recognize it at all. This kind of fuck up is much worse than the whole Sony rootkit thing from a decade or so ago, and as with Sony then, Lenovo doesn't seem to have the slightest clue of just how badly it has put people at risk.

It doesn't take much to kill off tremendous goodwill and trust, and Lenovo may have just done so with it's pitiful reaction here. It's one thing for Lenovo to have made the stupid decision to install this kind of adware/bloatware. It's a second thing to not realize the security implications of it. However, it's another thing entirely, once it's been pointed out to Lenovo to then deny that this is a security risk. Lenovo screwed up big time here, and mostly in the way it's responded to the mess it created.

Filed Under: adware, certificate authority, concerns, https, man in the middle, privacy, security, superfish, tls
Companies: komodia, lenovo, superfish

Google Dumps Motorola, Keeps The Patents

from the but-of-course dept

Back when Google first bought Motorola Mobility it was obvious that it was entirely about the patents. While there are still plenty of questions as to whether or not those patents are any good, Google needed to get its hands on a big bunch of patents for defensive reasons pretty quickly, and after losing out on Nortel's patents, picking up Motorola was apparently the quickest way. In fact, quite a few people expected Google to just dump Motorola's handset business quickly, in part to avoid competing with a variety of other Android partners, like Samsung and HTC. We even predicted that Google would likely sell off the handset business and keep the patents. However, Google insisted for a while that it was really going to make a go of being in the handset business itself.

Well, that little pipedream is now over, with Google selling off the handset business to Lenovo for $2.91 billion. Some are pointing out the rather massive difference between this and the initial purchase price of $12.4 billion, but that leaves out a lot: mainly, Google is keeping the patents and just licensing them back to the company. In 2012, Google claimed that it valued the patents at $5.5 billion. Also, it got $2.9 billion in cash from Motorola, and I'd imagine that's not going to Lenovo too... Instead, at the time of the acquisition, Google said it valued Motorola's customer relationships at $730 million and "other net assets" at $670 million -- and then had another $2.6 billion in goodwill (more or less the premium Google had to pay to get Motorola to sell). Given that, the sale isn't a huge "loss", though it does make Google look kind of silly for pretending it was really in the hardware business for a bit.

In the end, just as we predicted at the beginning, this is a story of the silly things a tech company is forced to do these days because of our stupid patent laws. The end result here pretty much confirms it all. Google shelled out $12.4 billion for a bunch of patents and hung onto a hardware business it never really wanted, and which it has now discarded. Without the pointless patent battles, it's unlikely Google ever would have bothered. So: would we be better off in a world where Google had actually been able to invest that money into making better offerings? Or where Motorola's investors got it?

Filed Under: handsets, patents
Companies: google, lenovo, motorola mobility

No, Having To Pay To Downgrade From Vista To XP Is Not An Antitrust Violation

from the that's-not-how-it-works dept

Last year we noted that while it was amusing to see a lawsuit from someone angry that they had to pay to downgrade from Vista to XP on their computer, it was hard to see how it was an antitrust violation, as the lawsuit was alleging. As we joked, perhaps that could be Microsoft's new business model: keep coming out with worse and worse operating systems, but charge people more and more to stick with the older systems. Either way, as we expected, that lawsuit didn't last long and was recently thrown out. As the court found, there was no evidence that Microsoft actually benefited from users downgrading. It seems pretty clear that Microsoft has always wanted people to sign up for its latest operating systems, and it would greatly prefer that over anyone (paying or not) downgrading to older versions. It also turned out that the "fee" the woman who brought the lawsuit paid was not to Microsoft, but to the computer manufacturer (in that case, Lenovo). In fact, the court pointed out that, technically, Microsoft gave a "free" extra operating system with the deal, since the buyer received both Vista and XP, at no additional revenue to Microsoft.

Filed Under: antitrust, downgrades, vista, xp
Companies: lenovo, microsoft

CyberSitter Sues The Chinese Government (In Los Angeles) Over Green Dam Filters

from the good-luck-with-that dept

Last summer, of course, there was a lot of attention paid to China's announced plans that every PC sold in China needed to include the new "Green Dam Youth Escort" software, which was a client-side filtering program. After international outrage over the plan actually had some sort of impact, the government backed down. A smaller story, that came out during all of this, was that the Green Dam software appeared to copy significant portions of the commercial filter product, CyberSitter. Now, CyberSitter has sued the Chinese government and a bunch of companies for $2.2 billion. The lawsuit has been filed in Los Angeles, and I would wonder what jurisdiction a Los Angeles district court has over the Chinese government concerning software that was only to be used in China.

While the lawsuit does include the expected copyright claim, it also goes much further to claim trade secret violations and "conspiracy." And while the Chinese government is obviously the headline grabber, it also includes Sony, Lenovo, Toshiba, Acer, ASUSTek, BenQ and Haier, claiming that these computer makers were in on the conspiracy. While many of those have US operations, it seems like a longshot that (a) the court has jurisdiction over their actions in China or (b) the charge of "conspiracy" has any chance of sticking.

Filed Under: china, conspiracy, copyright, filters, green dam
Companies: acer, asustek, benq, cybersitter, haier, lenovo, sony, toshiba

Wi-LAN Follows New Patent Hoarder Strategy: Sue Everyone All At Once

from the this-is-innovation? dept

Three and a half years ago, I wrote an article about the coming WiFi patent problem, focusing on the Canadian company Wi-LAN who claimed a bunch of patents related to WiFi technology. The company started off by suing Cisco. That lawsuit was eventually settled, but Wi-LAN clearly wasn't done yet. The company has now sued 22 different companies for violating its patents. This strategy seems to be the new strategy of patent holders: sue a ton of high profile companies all at once. It's what Sandisk did for example. Why is it becoming more popular? Because these patent holders are afraid that one of the potential targets might sue them first, seeking a declaratory judgment saying they don't infringe, and do so in a court other than the patent friendly court in Marshall, Texas. Oh yeah, Wi-LAN also notes that it's more economical to sue everyone at once. How nice of them.

Of course, Wi-LAN is hardly the only company that claims patents having to do with WiFi. It's a true patent thicket. If all these patents were actually valid and needed to be licensed no one could afford WiFi and it would be worthless. It's also worth noting that Wi-LAN's target list is somewhat ridiculous as well. It appears to be suing up and down the supply chain from chip suppliers like Broadcom and Intel to computer makers like Apple, Dell, Lenovo and Sony all the way to retailers like Best Buy and Circuit City. Assuming that all are somehow responsible for paying Wi-LAN the company could conceivably get license fees three or four times for the same computer. It's not hard to start adding up the questionable things going on here: (1) broad patents that are claimed to be important for a standard long after that standard has become widespread (2) these patents are one of many, many patents that claim to cover WiFi technology (3) filing the lawsuit against many companies at once (4) filing the lawsuit in east Texas and (5) filing the patents up and down the supply chain. This isn't what the patent system was designed to do and patent attorneys know it.

Filed Under: patents, wifi
Companies: acer, apple, best buy, broadcom, circuit city, dell, intel, lenovo, sony, texas instruments, wi-lan

Playlist Patented... Everyone Sued... But Did Apple Pay Up?

from the sounds-like-it dept

A bunch of folks have been submitting the latest story on a patent hoarding firm, Premier International Associates, who appears to have absolutely no other business than getting its hands on questionable, overly broad, obvious patents and then suing everyone possible. In this case, the patent is for the basic concept of a playlist, which can be found just about anywhere. So, it should come as little to no surprise that the list of companies sued is quite long, including: Microsoft, Verizon, AT&T, Sprint, Dell, Lenovo, Toshiba, Viacom, Real, Napster, Samsung, LG, Motorola, Nokia, Sandisk, HP, Acer, Gateway and Yahoo (phew!). That's quite a list, though it's not surprising to see that there are a ton of companies offering software that has a concept so basic and so obvious as a playlist.

However, there is one very interesting point here. Apple is missing from the list. As the folks over at Ars Technica figured out, Premier actually had sued Apple about this same patent back in 2005, but at the same time it was filing all these new patent lawsuits it filed to dismiss the Apple suit, suggesting that Apple most likely paid off the company (perhaps giving it the money needed to suddenly sue every other company in the universe. Apple certainly has a history of doing this. When the company was sued on a rather similar obvious patent on a hierarchical menu-based user interfaces held by Creative, it eventually (after spending some time fighting it) decided to simply pay $100 million to be left alone. Of course, all that did was allow Creative to head out and sue plenty of others. Sound familiar? By settling on these questionable patent claims, all Apple is doing is encouraging more lawsuits of this nature for itself, as well as others.

Filed Under: patent trolls, patents, playlists
Companies: apple, at&t, dell, lenovo, microsoft, napster, real, sprint, toshiba, verizon, viacom

India Starts To Flex Its Creative Side

from the the-creative-class dept

When companies move part of their operations to India, it's usually for something like back office support or software development. Creative work is typically not the first thing that companies would think to move there. But Chinese computer maker Lenovo has announced that India will be the home of its advertising operations, and that the unit will be tasked with designing advertising campaigns for a global audience. It may be too early to call it a trend, but this should be worrisome to the advertising industry's New York-based stalwarts. One advantage that Indian advertisers have is that they're used to building campaigns that play well in multiple languages, simply due to the various languages within India itself. For them, advertising to a global audience is a natural next step. And, of course, there are cost advantages. It's sill much cheaper to hire advertising professionals in India than it is in New York. While incumbent advertising agencies are likely to stick around for some time, it wouldn't be a surprise to see them move more of their own operations to the country, a la other services firms, like IBM.

Filed Under: advertising, india
Companies: lenovo