The Chinese PC manufacturer Lenovo said Thursday it will no longer pre-install on its devices the Superfish adware that has been denounced by cyber-security experts as making users vulnerable to hacking.
“Superfish has completely disabled server side interactions (since January) on all Lenovo products so that the product is no longer active,” Lenovo said in a statement Thursday. “Lenovo stopped preloading the software in January. We will not preload this software in the future.”
Currently, the vulnerabilities can only be manually removed by affected Lenovo device users, and Lenovo said it’s working on a software update to remove the security hole.
“As soon as the programmer is finished, we will provide a tool that removes all traces of the app from people’s laptops,” Lenovo’s CTO Peter Hortensius told the Wall Street Journal.
Cyber-security experts say that the Superfish adware exposes Lenovo devices to spying when using normally secure connections such as those for banking, and has called Lenovo’s decision to install the adware as a serious breach of ethics. Some have gone so far as to label Superfish as “malware.”
“We trust our hardware manufacturers to build products that are secure. In this current climate of rising cybercrime, if you can’t trust your hardware manufacturer you are in a very difficult position,” Marc Rogers, a security researcher at CloudFlare, wrote on his blog Thursday. “When bad guys are able to get into the supply chain and install malware it is devastating.”
Superfish makes users vulnerable to “man-in-the-middle” attacks even when browsing on an encrypted web connection, Rogers says. Because the software has an unrestricted trusted root certificate, the vulnerability is undetectable to usual security checks, security experts say.
“This is unbelievably ignorant and reckless of them. Its quite possibly the single worst thing I have seen a manufacturer do to its customer base,” Rogers wrote.