The U.S. Department of Homeland Security on Friday advised Lenovo Group Ltd customers to remove a software program known as "Superfish," which the agency said the world's No. 1 PC maker started installing on machines as early as 2010.
The Department of Homeland Security said in an alert released through its National Cyber Awareness System that the software made users vulnerable to a type of cyberattack known as SSL spoofing.
That could allow a remote attacker to read encrypted web browser traffic, spoof websites and perform other attacks on Lenovo PCs with the software installed, DHS said in the warning.
"Systems that came with the software already installed will continue to be vulnerable until corrective actions have been taken," the agency said.
Lenovo describes Superfish as a piece of software that it believed would "enhance the shopping experience" for its customers. The software alters search results, a feature that Lenovo said led to complaints from some customers. The company initially said it stopped shipping the software because of complaints about features, not a security vulnerability.
"We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns," the company said in a statement to Reuters early on Thursday.
On Friday, Lenovo spokesman Brion Tingler said the company's initial findings were flawed and that it was now advising customers to remove the software.
"We should have known about this sooner," Tingler said in an email. "And if we could go back, we never would have installed this software on our machines. But we can't, so we are dealing with this head on."
Lenovo did not say how many machines were affected, but said on Thursday that only machines shipped from September to December of last year had been pre-loaded with the software.
Tingler told Reuters on Friday that he could not explain why DHS said it had been installed as early as 2010.
Affected machines include models in Lenovo's Yoga, Flex and MiiX lines as well as its E, G, U, Y and Z series, according to a security advisory on the company's support website, which ranked the impact of the vulnerability as "severe." (lnv.gy/1LiWKX2)
That advisory said Lenovo had asked the company that produces Superfish to "disable all server activity associated with their product."
