U.S. government urges Lenovo customers to remove Superfish software

By

The U.S. Department of Homeland Security on Friday advised Lenovo Group Ltd customers to remove a software program known as "Superfish," which the agency said the world's No. 1 PC maker started installing on machines as early as 2010.

The Department of Homeland Security said in an alert released through its National Cyber Awareness System that the software made users vulnerable to a type of cyberattack known as SSL spoofing.

That could allow a remote attacker to read encrypted web browser traffic, spoof websites and perform other attacks on Lenovo PCs with the software installed, DHS said in the warning.

"Systems that came with the software already installed will continue to be vulnerable until corrective actions have been taken," the agency said.

Lenovo describes Superfish as a piece of software that it believed would "enhance the shopping experience" for its customers. The software alters search results, a feature that Lenovo said led to complaints from some customers. The company initially said it stopped shipping the software because of complaints about features, not a security vulnerability.

"We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns," the company said in a statement to Reuters early on Thursday.

On Friday, Lenovo spokesman Brion Tingler said the company's initial findings were flawed and that it was now advising customers to remove the software.

"We should have known about this sooner," Tingler said in an email. "And if we could go back, we never would have installed this software on our machines. But we can't, so we are dealing with this head on."

Lenovo did not say how many machines were affected, but said on Thursday that only machines shipped from September to December of last year had been pre-loaded with the software.

Tingler told Reuters on Friday that he could not explain why DHS said it had been installed as early as 2010.

Affected machines include models in Lenovo's Yoga, Flex and MiiX lines as well as its E, G, U, Y and Z series, according to a security advisory on the company's support website, which ranked the impact of the vulnerability as "severe." (lnv.gy/1LiWKX2)

That advisory said Lenovo had asked the company that produces Superfish to "disable all server activity associated with their product."

Tags
Software, DHS
Join the Discussion
More News
Elizabeth Ferguson

Texas Woman Viciously Bludgeoned in Random Lunchtime Attack Breaks Silence: 'Those Entire Two Days are Completely Gone'

Elon Musk

Election Officials Call Elon Musk a 'Huge Problem' For His Role in Spreading Misinformation Ahead of Election Day

Man Fed Up with Sister Cleaning His Room Gets Court

Man Fed Up with Sister Cleaning His Room Gets Court to Make Her Stop

Candace Craig and Salia Hardy

Maryland Woman Reveals Mom's Sick Plot to Dispose of Dismembered Grandma's Body Using Chainsaw and A Grill

Real Time Analytics