Microsoft Steps In To Clean Up Lenovo's Superfish Mess -- While Lenovo Stumbles And Superfish Remains Silent

from the the-cleaner dept

As we've been noting, both Lenovo and Superfish have been bungling their way through the response to the fact that they introduced a massive security hole in the way that Superfish's adware/malware dealt with HTTPS protected sites (by using a self-signed root certificate that was incredibly easily hacked, allowing basically anyone to create a simple man in the middle attack). Lenovo has been going through the motions, first insisting there was no security concern, then arguing that the concerns were theoretical and then quietly deleting its statement about the lack of security problems with Superfish. It also posted some instructions on removing both the software and the root certificate, and promised to have an automated system soon.

Superfish, on the other hand, has remained almost entirely silent. It gave some reporters bland statements insisting that there was no security risk, that it "stood by" Lenovo's statement, and insisted that Lenovo would come out with a statement that showed Superfish was not responsible for any of this mess. It also insisted that the company was fully "transparent" in how its software worked, but that's clearly not the case, because nowhere do they say "we create a massive man in the middle attack just so we can insert advertising images into your HTTPS surfing." At the time of writing this, Superfish appears to have nothing on its website about all of this. Its Twitter feed's last post, from yesterday mid-day simply says that Lenovo "will be releasing detailed information at 5 p.m. EST today."
Except, it did not. That's about when it modified its original "nothing to see here" statement, with instructions on how to remove Superfish. It did not, as Superfish had previously told journalists, include a statement "with all of the specifics that clarify that there has been no wrongdoing on our end." In fact, it still looks very much like there was tremendous wrongdoing on the part of Superfish in the way it decided to implement its technologies. And that's not even getting into Superfish's sketchy history.

In the end, while Lenovo and Superfish are flailing around, it was left to Microsoft to come in and clean up the mess, pushing out a Superfish Fix to its Windows Defender product:
Microsoft just took a major step towards rooting out the Superfish bug, which exposed Lenovo users to man-in-the-middle attacks. Researchers are reporting that Windows Defender, Microsoft's onboard anti-virus software, is now actively removing the Superfish software that came pre-installed on many Lenovo computers. Additionally, Windows Defender will reset any SSL certificates that were circumvented by Superfish, restoring the system to proper working order. It's a crucial fix, as many security professionals had been struggling to find a reliable method for consistently and completely undoing the harmful effects of the bug. To make sure the fix takes effect, any Superfish-affected Windows users should update their version of Windows Defender within the program and scan as soon as possible.
Perhaps it's not surprising that Superfish is struggling to figure out how to deal with this sudden attention as a smaller company, but Lenovo should have been on top of this issue much, much faster.

Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 20 Feb 2015 @ 11:49am

    How to know when your company has screwed up it's software:

    When your product makes it onto the list of malware removed by common virus/malware protection software.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 20 Feb 2015 @ 11:55am

    Lenovo makes two calls...

    Lenovo calls Superfish: Keep your mouth shut on this and we'll take care of it.

    Lenovo calls Micro$oft: How much would it cost us for you to clean up "Superfish's" mess? Oh, 1 Million, ok, I'll get a wire transfer to you ASAP.

    reply to this | link to this | view in chronology ]

  • identicon
    mcinsand, 20 Feb 2015 @ 11:59am

    how to know you're up the scatalogical creek

    If you're having to get security help from Microsoft, then you know that you're screwed!

    reply to this | link to this | view in chronology ]

  • identicon
    Mike K, 20 Feb 2015 @ 11:59am

    Lenovo - pad problem

    We are an Lenovo dealer but recently we have pushed away from recommending leveno laptops because of some simple problems wit the touch pads failing. Yes, dome firmware updating is needed however when a persons received a new laptop out of the box an the pad fails to function it reflects bad on the dealer who recommended it. I recently went to a best by and 50% of their Leveno laptops on display had the same problem - faulty touch pads. Come guys get it fixed and tell your dealers about the fix!

    If you live in Southeast Florida Advanced business computers is a great source for help. Computer network repair, printer and copier maintenance repairs, leasing and supplies.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 20 Feb 2015 @ 1:26pm

      Re: Lenovo - pad problem

      Cool, I'll stop in. I'm gonna be in the neighborhood anyway, picking up some weight-loss supplements at Roca Labs.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 20 Feb 2015 @ 12:09pm

    I miss the real Thinkpads...

    Lenovo has really ruined a good thing. I bought a T61 back when it was still IBM-branded and it was an awesome piece of kit. I then ordered a 520 a couple years ago (fully Lenovo) only to immediately return it. The plastics were cheap, the keyboard was utter shit, the Think Light (which I prefer over backlit) was positioned poorly and shined in my eyes most of the time. But the absolute worst was the track pad, which had a coating of raised textured dots that caused my skin to feel tingly and sore after a short time. It was kinda like gentle sandpaper... On a track pad! WTF?!

    Thinkpads used to be real machines, built for professionals. Today they feature cheap construction, shitty design and a bunch of crapware. Lenovo has it's head so far up it's own ass that they actually believe doubling down on the Superfish issue to be the right answer. What Lenovo needs to do is apologize, fire the dumbasses responsible for fucking up the Thinkpad brand and get on with building a proper line of laptops for people trying to do some real work. Otherwise, GTFO...

    It's a sad day when the Dell M4500 (business class) is superior in every way to Thinkpads.

    reply to this | link to this | view in chronology ]

  • identicon
    AC, 20 Feb 2015 @ 12:20pm

    Anyone want to guess . . .

    Anyone want to guess which US government agency made a bulk purchase of laptops around the time Lenovo was shipping the pre-compromised systems?

    reply to this | link to this | view in chronology ]

    • icon
      djl47 (profile), 20 Feb 2015 @ 2:17pm

      Re: Anyone want to guess . . .

      Homeland Insecurity?

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 20 Feb 2015 @ 8:13pm

      Re: Anyone want to guess . . .

      Anyone want to guess which US government agency made a bulk purchase of laptops around the time Lenovo was shipping the pre-compromised systems?
      Probably not one you've ever heard of. No agency with a budget is going to run a vendor-supplied consumer version of Windows, except maybe to study it (e.g. the NSA looking for bugs to exploit). Even medium-to-large corporations will be running their own image.

      Anything targeting a government agency would be backdoored in a more subtle way, e.g. at the firmware level.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 20 Feb 2015 @ 12:28pm

    This is why certificate pinning matters folks. Deploy that shit.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 20 Feb 2015 @ 12:35pm

    Why are people calling this a bug? It looks like it's working as intended, just really poorly thought out.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 20 Feb 2015 @ 12:42pm

    i dont like microsoft, but i respect the idea behind windows defender software, more precisely, the idea of a piece of software that hopelly lasts indefiniatlly no matter what os version, a software thats sole purpose is to upate security/privacy and whatever else may come.....the idea being that any future os updates are built around the technicalities of allowing future updates to EVERYSINGLE os VERSION .......and not have the humongus mistake of older technology being a pittififully easy to hack with ever involving future hacks.........forced to buy new tech that MAY have better security and being forced to throw away the old.........one, what a waste, two, forced to spend money you dont have too.........mmmm i guess companies wouldnt mind that bit

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 20 Feb 2015 @ 12:48pm

      Re:

      Me again

      In this particular case, the idea behind this software, i tip my hat microsoft.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 20 Feb 2015 @ 12:55pm

        Re: Re:

        Me again thrice

        If in the off chance you might want to know how i would ever be a customer, or a supporter, then open source, open hardware and an ideaology i can get behind that your not afraid to express........now, i dont expect it, but i'd thought i'd offer it anyway, good faith gesture in response to my respect for the idea behind this software......thats what it takes, a small thing here, a small thing their, next thing you know, even the most elite hackers, either ethical hobbyist or evil imperialists, are hard pressed to find ANY vulnrabilities, or at LEAST the ones that are known are patched.......maybe in future........

        reply to this | link to this | view in chronology ]

  • icon
    Namel3ss (profile), 20 Feb 2015 @ 12:56pm

    Who'd have thought the day would come...

    When Microsoft would be the GOOD guys?

    Hell has indeed frozen over.

    reply to this | link to this | view in chronology ]

    • identicon
      PRMan, 20 Feb 2015 @ 3:07pm

      Re: Who'd have thought the day would come...

      In their defense, Microsoft has been pretty great since Satya Nadella took over. Windows 10 rocks, honestly.

      reply to this | link to this | view in chronology ]

      • icon
        John Fenderson (profile), 20 Feb 2015 @ 3:20pm

        Re: Re: Who'd have thought the day would come...

        "Microsoft has been pretty great since Satya Nadella took over"

        Some people keep saying that, but I have yet to see the evidence.

        reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 21 Feb 2015 @ 9:34am

      Re: Who'd have thought the day would come...

      Always knew Hell was somewhere in the Eastern US.

      reply to this | link to this | view in chronology ]

  • identicon
    bdj, 20 Feb 2015 @ 1:17pm

    Unbundle...

    Why is it that in 2015, it's still impossible for a regular consumer to buy a bare-bones laptop? How great that would be...

    reply to this | link to this | view in chronology ]

    • icon
      John Fenderson (profile), 20 Feb 2015 @ 1:23pm

      Re: Unbundle...

      You totally can. If you want Just Windows without all the OEM crap, you can buy a Microsoft Signature Series laptop. You can also buy many laptops without an operating system installed at all (do a search for "laptop no operating system installed" for numerous options)

      You can't really get more bare-bones than that.

      reply to this | link to this | view in chronology ]

      • identicon
        PRMan, 20 Feb 2015 @ 3:08pm

        Re: Re: Unbundle...

        And you can buy these machines and wipe them and install your own OS as soon as you get them (and if you use the right image, the activation code on the machine works on Windows 7 and Windows 8 and up will auto-activate pre-bought keys when you install clean).

        reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 20 Feb 2015 @ 8:22pm

        Re: Re: Unbundle...

        You can also buy many laptops without an operating system installed at all
        Is there any way to get these at a physical store or some other way that would avoid targeted NSA interdiction? This should be a real concern to anyone developing security software... or running an ISP or phone company or really any business that might have information on an "interesting" client (small hotels seem like an obvious target that I haven't seen reported yet).

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 20 Feb 2015 @ 1:31pm

    I guess it's fitting that Microsoft keeps its own certificate store clean and classifying Superfish as malware is completely right, but it's just scary again to see just how much power Microsoft holds over your computer.
    When I install my own certificate I wouldn't want Microsoft to be able to tamper with it. And if it couldn't it also couldn't touch Superfish's.

    I should switch to Linux soon.

    reply to this | link to this | view in chronology ]

    • icon
      John Fenderson (profile), 20 Feb 2015 @ 2:34pm

      Re:

      In fairness to Microsoft, this isn't really a Windows thing. Windows Defender is no different than any other such security software, and is totally optional to use. If you used the equivalent software in Linux, it would be able to do the exact same thing (if it couldn't, it wouldn't be very good security software).

      reply to this | link to this | view in chronology ]

      • identicon
        PRMan, 20 Feb 2015 @ 3:09pm

        Re: Re:

        Actually, Windows Defender is now installed and turned on by default.

        What's scarier to me is that Lenovo has this much power over your machine.

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 20 Feb 2015 @ 1:38pm

    Adi Pinhas was interviewed here and in that article he made this glorious statement:

    The way we work, for example, is very different. We work a lot faster. We have fewer meetings, less formality. We are not saying "Sorry;" we are saying straight to your face, "This is a stupid idea."


    14% of the people working their have PhDs. If they are a bunch of straight-talking geniuses, how did they ship such a piece of crap software?

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 20 Feb 2015 @ 1:38pm

      Re:

      Forgot to mention, Pinhas is CEO of Superfish.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 20 Feb 2015 @ 1:56pm

      Re:

      "14% of the people working their have PhDs. If they are a bunch of straight-talking geniuses, how did they ship such a piece of crap software?"

      Asked and answered. (First sentence).

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 20 Feb 2015 @ 2:31pm

    It's nice to know that Microsoft is treating this piece of malware as malware, but what about the other anti-virus companies? How fast --or slow-- were they in diaabling Superfish?

    The Sony Rootkit scandal demonstrated which antivirus companies put consumers first and which ones put corporate interests first. Kaspersky immediately disabled Sony's Rootkit, while on the other end of the scale, Symantec refused to classify Sony's rootkit code as malware. It was not until perhaps a week or two later, after receiving much criticism, that Symantec finally relented and had it's AV products remove Sony rootkit.

    This was no surprise, since Symantec had a long history of whitelisting corporate malware, such as Cydoor, Gator, and many other spyware programs that often came bundled with free software.

    reply to this | link to this | view in chronology ]

  • icon
    That Anonymous Coward (profile), 20 Feb 2015 @ 11:28pm

    Lenovo released a removal tool, one wonders if they can't understand why people might not trust them.
    Perhaps they should have gotten a much more trustworthy company to release if for them... maybe Comcast.

    reply to this | link to this | view in chronology ]

  • identicon
    Oliver, 23 Feb 2015 @ 4:41am

    Are there still ppl out there that actualls USE Windows Defender?
    Istt that cause for much more concern, than that whole superfish debacle?

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Special Affiliate Offer
Anonymous number for texting and calling from Hushed. $25 lifetime membership, use code TECHDIRT25
Report this ad  |  Hide Techdirt ads
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.