Lenovo malicious software?

[Punk]

http://www.dailydot.com/technology/lenovo-superfish-mitm-nightmare/?tw=dd

Do any of you have any info on this? What do you think?

 

[ninjabubbles3]

Heard about it, but I don't really know what to think of it. Lenovo almost never screws up

 

[C4C]

Heard about it, but I don't really know what to think of it. Lenovo almost never screws up

^ My school has 75% Lenovo's, and the teachers have them too. But I think they wipe them and use the same OS.. Nobody I know really buys Lenovo's.

 

[voyagerfan99]

It's just like any other piece of pre-installed software a manufacturer installs. However, Lenovo didn't know of the malicious nature / security vulnerabilities of this software until users started reporting it.

At Lenovo, we make every effort to provide a great user experience for our customers. We know that millions of people rely on our devices every day, and it is our responsibility to deliver quality, reliability, innovation and security to each and every customer. In our effort to enhance our user experience, we pre-installed a piece of third-party software, Superfish (based in Palo Alto, CA), on some of our consumer notebooks.

We thought the product would enhance the shopping experience, as intended by Superfish. It did not meet our expectations or those of our customers. In reality, we had customer complaints about the software. We acted swiftly and decisively once these concerns began to be raised. We apologize for causing any concern to any users for any reason – and we are always trying to learn from experience and improve what we do and how we do it. Superfish technology does not profile nor monitor user behavior. It does not record user information. It does not know who the user is. Users are not tracked nor re-targeted. Every session is independent. Users are given a choice whether or not to use the product.

We stopped the preloads beginning in January. We shut down the server connections that enable the software (also in January, and we are providing online resources to help users remove this software. Finally, we are working directly with Superfish and with other industry partners to ensure we address any possible security issues now and in the future. Detailed information on these activities and tools for software removal are available here:

Lifehacker explains pretty easily the issues with it.

Superfish is basically your run-of-the-mill adware software, but with some big security holes. Lenovo pre-installed it on some computers sold between October 2014 and December 2014, but any Windows computer can be infected. At its core, Superfish is meant to place advertisements in your web browser. The problem is that the software also intercepts encrypted traffic, which opens up your computer to man-in-the-middle attacks (which work similar to the Heartbleed security bug from last year)....

Not only that, but Superfish also intercepts HTTPS connections. A post over at Errata Security shows that that the HTTPS certificate is incredibly easy to crack, which makes you even more vulnerable. For example, security research Chris Palmer found that when he visited Bank of America's web site on a computer with Superfish installed, the bank's certificate was signed by Superfish rather than VeriSign. This means attackers could use the certificate to create fake HTTPS web sites that grab your passwords, or even create viruses that are "signed" to look legitimate.

The list of affected models may include:

Superfish may have appeared on these models:
G Series: G410, G510, G710, G40-70, G50-70, G40-30, G50-30, G40-45, G50-45
U Series: U330P, U430P, U330Touch, U430Touch, U530Touch
Y Series: Y430P, Y40-70, Y50-70
Z Series: Z40-75, Z50-75, Z40-70, Z50-70
S Series: S310, S410, S40-70, S415, S415Touch, S20-30, S20-30Touch
Flex Series: Flex2 14D, Flex2 15D, Flex2 14, Flex2 15, Flex2 14(BTM), Flex2 15(BTM), Flex 10
MIIX Series: MIIX2-8, MIIX2-10, MIIX2-11
YOGA Series: YOGA2Pro-13, YOGA2-13, YOGA2-11BTM, YOGA2-11HSW
E Series: E10-30

 

[johnb35]

Just bought my daughter the Lenovo G50-45 for her birthday. I'll have to check it next time I have her.

 

[voyagerfan99]

Here's how you completely remove it. Just uninstalling the program won't completely do it.

http://gizmodo.com/how-to-remove-superfish-adware-from-your-lenovo-compute-1686971025

 

[Darren]

Here's how you completely remove it. Just uninstalling the program won't completely do it.

http://gizmodo.com/how-to-remove-superfish-adware-from-your-lenovo-compute-1686971025

I have a friend that just got one of the affected machines and sent him that link. Thanks.

 

[spirit]

If possible the easiest thing to do is just reformat and install Windows fresh when you get the machine. It takes about 15 minutes to install Windows these days - seems to be a faster option than manually removing all the rubbish they pre-install. That's a bulletproof method of removing this and all of the other junk.

 

[voyagerfan99]

It takes about 15 minutes to install Windows these days

Not counting driver installations, Windows Updates, and other software. You're still looking at 2+ hours to get the computer completely usable.

 

[spirit]

Not counting driver installations, Windows Updates, and other software. You're still looking at 2+ hours to get the computer completely usable.

And how often do you get a new machine which has all of the Windows Updates applied? I'll take Lenovo as an example: my ThinkPad didn't have 8.1 installed when I bought it and 8.1 had been available for about 6-7 months when I bought that. Would have had to have waited for about 90 updates for 8 to install and then a few hours to download 8.1 via the Store to update to 8.1 when it would take about 15 minutes to install 8.1 clean.

And Windows comes with most driver software these days anyway and it doesn't take a few minutes to install the odd video driver or whatever. If you reformat before you install or do anything you're not losing any time either.

In my opinion it's just a much faster way of doing things and you aren't left with any remains from junk or trial software that is preinstalled. These days the Windows 8/8.1 key is in the BIOS so all you need is a disc or USB with Windows 8 on - you don't even need the product key (and you can use the key on the COA if using an older version of Windows).

You're still looking at several hours to get a machine ready out of the box after you've installed the updates and removed all of the rubbish and installed the software you want to install. The fact of the matter is that most installs take several hours to fully complete but Windows itself can be installed in about 15-30 minutes depending on your machine.

 

[voyagerfan99]

And how often do you get a new machine which has all of the Windows Updates applied? I'll take Lenovo as an example: my ThinkPad didn't have 8.1 installed when I bought it and 8.1 had been available for about 6-7 months when I bought that. Would have had to have waited for about 90 updates for 8 to install and then a few hours to download 8.1 via the Store to update to 8.1 when it would take about 15 minutes to install 8.1 clean.

And Windows comes with most driver software these days anyway and it doesn't take a few minutes to install the odd video driver or whatever. If you reformat before you install or do anything you're not losing any time either.

In my opinion it's just a much faster way of doing things and you aren't left with any remains from junk or trial software that is preinstalled. These days the Windows 8/8.1 key is in the BIOS so all you need is a disc or USB with Windows 8 on - you don't even need the product key (and you can use the key on the COA if using an older version of Windows).

You're still looking at several hours to get a machine ready out of the box after you've installed the updates and removed all of the rubbish and installed the software you want to install. The fact of the matter is that most installs take several hours to fully complete but Windows itself can be installed in about 15-30 minutes depending on your machine.

I know what you're saying Jason, and I agree that wiping a machine out of the box yields much better results, but you make it seem like you wipe it and it's ready in 30 minutes.

 

[Darren]

I was planning on doing a wipe with laptop when I got it but actually came with a surprisingly small amount of crap on it. I just uninstalled a few things and it was good to go.

 

[PCunicorn]

Not counting driver installations, Windows Updates, and other software. You're still looking at 2+ hours to get the computer completely usable.

Windows Update handles 95 percent of drivers anymore. Usually I only need to install GPU drivers, but for some GPUs, Windows even takes care of that. Using a 7200 RPM HDD+ with a flash drive with Windows on it (CDs are much slower), Ninite for Steam, Chrome, etc., and assuming Windows Update takes care of your drivers (it should), you can be up and running in an hour or less. Doind a complicated uninstall process like that can take 30 minutes.

 

[voyagerfan99]

I don't care to get my drivers from Windows Update unless I need to. I like direct manufacturer drivers, especially if they include control panel software.