Lenovo Quietly Deletes That Bit About 'No Security Concerns' To Superfish… While Superfish Says 'No Consumers Vulnerable'

from the own-it dept

Wednesday night, the security world blew up with the news (which had actually been out there for a while), that the adware/malware Superfish that Lenovo had been installing by default on many laptops included a massive and dangerous security vulnerability by installing its own, self-signed root HTTPS certificate, and then basically mounting a man in the middle attack on every single HTTPS connection — and doing so with an easily hacked certificate, creating a giant vulnerability for anyone owning one of those laptops. We were shocked at the tone-deafness of Lenovo’s initial response, which didn’t even name which laptops Superfish was installed on, and made this blatantly bullshit statement:

We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns.

However, within hours, Lenovo had quietly updated its statement to remove that line. The company is now also (finally) admitting which laptops were infected and put together a page about how to remove the software and the rogue certificate. That’s better, but Lenovo should at least apologize, which it has not done, and admit that it was completely full of shit in insisting that there was no security concern.

Speaking of which, Superfish has remained remarkably quiet as well. At the time I write this, there is nothing about this on its website, and it’s only given a ridiculously misleading statement to reporters:

Superfish has not been active on Lenovo laptops since December. We standby this Lenovo statement: http://news.lenovo.com/article_display.cfm?article_id=1929.

It is important to note: Superfish is completely transparent in what our software does and at no time were consumers vulnerable?we stand by this today. Lenovo will be releasing a statement later today with all of the specifics that clarify that there has been no wrongdoing on our end.

First of all, at the time it “stood by” the Lenovo statement, that statement was blatantly false in claiming that there were no security concerns. Similarly, it’s simply not at all true that Superfish is “completely transparent” because no one knew that it was inserting its own self-signed certificate and using it on every HTTPS connection. Furthermore, consumers absolutely were vulnerable.

Finally, there’s Komodia. As Robert Graham discovered when he hacked the Superfish certificate, the password is “komodia” which just happens to be a company that sells a product for… creating these kinds of man in the middle attacks on HTTPS connections, mainly for parental spyware. The company is also entirely silent on this stuff. Its website looks like it hasn’t been updated recently. It has various blogs and a Facebook page, none of which appear to have been updated since 2013.

However, as security researchers are discovering, Komodia’s tool is being used in other crappy spyware/malware and always in the same terrible manner — all using the password “komodia.” As Marc Rogers notes:

What does this mean? Well, this means that those dodgy certificates aren?t limited to Lenovo laptops sold over a specific date range. It means that anyone who has come into contact with a Komodia product, or who has had some sort of Parental Control software installed on their computer should probably check to see if they are affected.

This problem is MUCH bigger than we thought it was.

The software known to use Komodia are Komidia’s own “Keep My Family Secure,” Qustodio’s parental control software and the Kurupira Webfiler — all of which likely are very vulnerable thanks to this idiotic implementation.

Lenovo, Superfish and Komodia all have done a piss poor job taking responsibility for the massive security vulnerability they created.

Filed Under: , , ,
Companies: komodia, lenovo, superfish

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Lenovo Quietly Deletes That Bit About 'No Security Concerns' To Superfish… While Superfish Says 'No Consumers Vulnerable'”

Subscribe: RSS Leave a comment
29 Comments
Anonymous Coward says:

The fun never ends

Oh, and that man in the middle attack it does? It validates the certificate, and if it’s invalid, changes the domain name in the certificate so it won’t match in the browser.

But there are two different ways to match a domain name to a certificate, and they forgot the other one. So anyone can create an invalid certificate which, when passed through any of these Komodia proxies, will be treated as valid by the browser. The attacker doesn’t even have to use the Superfish key.

Anonymous Coward says:

Re: You know who owns Lenovo know, right?

Oh, and Motorola as well. Two brands I will never buy.

I know what you are thinking, much of our tech is made there and that is true. But with a fully owned company, they are free to put whatever spyware software or hardware they want. With other companies, they would have get past their engineers with that stuff. Could the do it? Sometimes, but get caught once and they are done.

Groaker (profile) says:

Not free to put spyware on computers

Private companies are not free to do what they like. They have fiduciary, privacy, and good practice requirements to meet.

My bank can not advertise my balances in the local paper. My computer can not knowingly have spyware installed by the manufacturer that sends my passwords to a third party. A car manufacturer can not legally sell a car whose brakes will fail one time in a thousand.

The we are a private company mantra, and can do as we like, is nothing but fabrication. Products of companies must meet implicit warranties of merchantability and fitness. Failure to meet those legal criteria open a company to civil and criminal liability. I don’t know if Lenovo committed the actions described above or not. But any company that did so, would almost certainly be in breech of implied warranties.

John Fenderson (profile) says:

Re: Not free to put spyware on computers

However, many companies (and the larger they are the more likely they are to think this way) don’t view the mere fact that something is illegal as a reason to avoid doing it. They just boil it down as a cost/benefit analysis: if they can make more money by breaking the law (taking into account the expected payout in fines when they get caught), they will break the law without a second thought.

Anonymous Coward says:

Companies have always claimed vulnerabilities to be “theoretical”, not a real threat, etc., until there’s a ridiculous amount of proof. This is why security researchers release exploits with their advisories: in the 90s they didn’t, and companies would always play up the angle that only some kind of rich genius or foreign government would be able to figure out how to exploit whatever was being reported. Even recently, most sites didn’t deploy strong crypto until Firesheep and sslstrip existed.

I wouldn’t be surprised if Lenovo and/or Superfish continued to deny it until someone actually has an account cracked there’s a sworn deposition, from a security expert, showing their software was to blame.

always in the same terrible manner — all using the password “komodia.”

This doesn’t matter at all. They could use a unique strong password on each computer, and it would make no difference because that password must be stored on the computer so it can decrypt the certificate… which is the same on every computer anyway.

dkone says:

Lenovo's statement is such BS

I am so sick and tired of these type of statements when a corporation/politician gets caught with their hand in the cookie jar.

“we are going to spend the next few weeks digging in on this issue, learning what we can do better. We will talk with partners, industry experts and our users. We will get their feedback. By the end of this month, we will announce a plan to help lead Lenovo and our industry forward with deeper knowledge, more understanding and even greater focus on issues surrounding adware, pre-installs and security”

So what you are saying is that either you have no one in your corporation that knows jack shit about security and moral responsibility OR you have the wrong people working above them with the authority to over ride them. In either case, time will not fix the problem. I take that back, time will fix the problem but only because you are banking on the consumer forgetting your past.

As far as Lenovo’s and just about any other manufacturer stance on pre-installing shit software on machines… Just stop it all together. If I buy a machine with Win7 Pro, that is all I want. If they insist on doing it, then there should be a full disclaimer about every single piece of other software pre-installed.

Anonymous Coward says:

Re: Lenovo's statement is such BS

“I am so sick and tired of these type of statements when a corporation/politician gets caught with their hand in the cookie jar.”

They all seem to follow the same playbook:

First you lie outright. When that doesn’t work, then you start mixing in half-truths and taking back some of the lies. Repeat as needed. Never admit to more than you’re forced to.

A full admission of the truth — if it ever comes — will be the result of a long process of dragging it out of them piece by piece by debunking all their lies and distortions.

Of course, a few will prefer to be a Dick Cheney and deny everything to the bitter end.

Anonymous Coward says:

Lenovo will be releasing a statement later today with all of the specifics that clarify that there has been no wrongdoing on our end.

That they jumped immediately to denying wrongdoing tells me this statement was written by a lawyer, in-house if they have one, and likely with at least some briefing on the problem. They have opted, possibly rightly from a legal liability point of view, to completely ignore the public relations disaster and jump straight to liability control. From my limited readings on civil liability, they probably cannot find a way to admit that this was a bad idea without having that admission come back to haunt them in any future court proceedings. Therefore, their only course of action is to deny that mistakes were made.

As for the claims that users were never vulnerable, the only ways they could possibly believe that is either extreme incompetence or NSA-style redefinition. If by “vulnerable” they mean that their software never actively sent your plaintext around, then yes, users were never vulnerable – as long as they never talk to anyone untrustworthy who sends a certificate that exploits the great gaping hole in the product. That’s about as useful as saying that “This window provides great privacy, as long as you don’t let any peeping toms get within a mile of it.”

That One Guy (profile) says:

Re: They did...

Given what else they’ve said during this debacle, I’d say that’s less an honest apology and admission that they were wrong, and more an attempt to salvage at least something after realizing that people weren’t buying the ‘There’s nothing to see here, no glaring security holes, move along’ line.

That One Guy (profile) says:

Re: Re: Re: They did...

Yeah, do a very public interview with the WSJ claiming it’s ‘No big deal’ and the concerns people are voicing are overblown and the potential problems ‘theoretical’ and then ‘apologize’ via Twitter, an ‘apology’ that will only be seen by those that are following them on that service?

Umm, no, they’re going to have to try a little harder than that if they want people to believe that they’re sincere. Contacting the WSJ and making a public retraction of their previous claims would be a good start, but given how utterly dismissive they’ve been during the whole thing, they’ve got a lot to make up for.

John Fenderson (profile) says:

Re: Re: Re:2 They did...

” they’re going to have to try a little harder than that if they want people to believe that they’re sincere.”

Indeed. I think their underlying problem here is that they genuinely aren’t sincere. They’re just trying to find the proper mouth-noises that will make the whole thing vanish from the public consciousness.

The Wanderer (profile) says:

Removal link update

A year and a half later, the provided link for the Lenovo removal-instructions PDF is now a 404; as best I can tell, the official removal instructions and list of affected products from Lenovo are now at:

https://forums.lenovo.com/t5/Lenovo-P-Y-and-Z-series/Removal-Instructions-for-VisualDiscovery-Superfish-application/ta-p/2029206

That page does not itself actually explain how to remove Superfish, but it does link to two separate pages for that purpose, one of which provides a dedicated removal tool.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...