Microsoft has rushed out a signature against the Superfish malware for its Windows Defender security software, which will also remove the insecure adware, while Lenovo has removed the software and apologised to customers.
It follows an advisory issued over the weekend by the US Department of Homeland Security advising Lenovo to stop shipping consumer PCs with the software, and to take “corrective action”. The advisory warned: “Systems that came with the software already installed will continue to be vulnerable until corrective actions have been taken.” The US-CERT had also issued an official warning.
The adware had been used by the company that runs Superfish, Komodia, to impose advertising on users of Lenovo hardware based on image recognition, intercepting their web browsing to display the ads on Internet Explorer or Google Chrome. However, it did this without users’ clear and explicit authorisation, and by undermining web browsers’ HTTPS encryption in a way that could also be exploited by hackers.
The Electronic Frontier Foundation described it as a “severe security issue” and a “betrayal by Lenovo of all of its affected customers”. The Superfish software acted like a classic “man in the middle” attack, intercepting supposedly secure traffic between the browser and the internet.
All an attacker needed to do was to crack the password for the Superfish certificate and they would be able to launch their own man-in-the-middle attacks. This could be done over Wi-Fi in a public place, for example, without the user knowing or being warned by their security software. The pasword, according to Errata Security chief technology officer Robert Graham, was easy to crack.
Lenovo had insisted that Superfish posed no security problem for users. However, the attacks caused Lenovo – finally – to offer an unambiguous apology to its customers for the debacle. “We messed up badly here,” Peter Hortensius, Lenovo’s chief technology officer, told Bloomberg News. “We made a mistake. Our guys missed it. We’re not trying to hide from the issue.”
Microsoft was swift to issue an update to Windows Defender that would remove the offending software and delete the root certificate at the heart of the security issues with Superfish, although it isn’t able to remove the certificate from Mozilla Firefox as that maintains a separate certificate store.
The signature has been tagged Trojan:Win32/Superfish.A.