Lenovo’s choice to pre-install Superfish software on its computers has introduced a security vulnerability that makes customers vulnerable to HTTPS man in the middle attacks, according to security researchers.
The Superfish software, which Lenovo claims helps users find similar products at lower prices, also installs a self-signed root HTTPS certificate that can intercept encrypted traffic for every website a user visits.
This means that when owners of Lenovo computers with the adware installed visit an HTTPS site, the site certificate is signed and controlled by Superfish so that it can inject adverts Lenovo wants to push.
US security researcher Chris Palmer confirmed that Superfish represents itself as the official website certificate by visiting the Bank of America website using a new Lenova Yoga 2, reported Ars Technica.
Palmer found that the certificate for the site was not signed by certificate authority VeriSign as it should have been, but instead by Superfish.
He found that the same Superfish-signed certificate was presented to his browser when he visited other HTTPS-protected websites, which means there is not any HTTPS-protected website that is not affected.
Palmer then found that the private key for the Superfish certificate installed on his Yoga 2 contained the same private key as a Superfish certificate installed on another Lenovo PC.
This means attackers could potentially use the certificate to create fake HTTPS websites that would not be detected by vulnerable Lenovo machines.
It is not known how many Lenovo computers are affected, but the company has “temporarily removed” Superfish from its consumer systems.
In late January, a Lenovo representative said in a blog post that the Superfish browser add-on had been removed “due to some issues (browser pop-up behaviour for example)”.
He said Superfish had been asked to address these issues and that for units already in the market, Lenovo had requested Superfish to create an auto-update to fix these issues.
The blog post did not acknowledge any security risk, but said the Superfish software is pre-installed on consumer products only and does not profile or monitor user behaviour.
“It does not record user information. It does not know who the user is. Users are not tracked nor re-targeted,” wrote Mark Hopkins, program manager, Lenovo social media services.
The Superfish man in the middle vulnerability reportedly affects Internet Explorer and Google Chrome, but not Mozilla Firefox which maintains its own certificate store.
Some Twitter users have called for computer suppliers to be banned from pre-installing anything besides operating systems and necessary drivers.
Some security commentators have advised Lenovo PC owners concerned about Superfish to install a known clean version of their operating system.
Other security experts have said that while a clean operating system install is preferable, it is not always practical.
“Pre-installed software is always a concern because there’s often no easy way for a buyer to know what that software is doing – or if removing it will cause system problems further down the line,” said Chris Boyd, malware intelligence analyst at security firm Malwarebytes.
He recommended that affected Lenovo computer owners should uninstall the Superfish software then type certmgr.msc into their Windows search bar. “From there, they can find and remove the related root certificate,” he said.
Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Related content from ComputerWeekly.com
RELATED CONTENT FROM THE TECHTARGET NETWORK