Lenovo Security & Man-in-the-middle attacks

[Mrs.Sveigdalen]

I was very frustrated to wake up and find these articles today:

https://forums.lenovo.com/t5/Security-M ... true#M1697

http://thenextweb.com/insider/2015/02/1 ... computers/

While I do fully reimage PCs I deploy and I manage them with SCCM, I don't do much of **anything** to the many tablet PCs we get from Lenovo besides put a client on them. To see these articles makes me furious because I know this what I will be stuck working on, pulling reports and doing security analysis work. It is a good reminder of the level of vulnerability when one does not control one's installed software

-jenn

[Puppy]

It is a good reminder of the level of vulnerability when one does not control one's installed software

It is the same with preinstalled Google Chrome spyware. Always have to remove (not easy) and verify it before connect to the Internet.

[Dekks]

It's not on Thinkpads only the Lenovo consumer laptops manufactured Jan 2015 or earlier. Firefox doesn't use the Superfish cert as it maintains its own cert store. The Laptop lines that have been compromised are Flex, P, Y and Z series devices.

If anyone asks how to remove it you have to a) uninstall the app 2) open certmgr.msc drill down to the 2nd tree under and remove the Superfish cert.

[Mrs.Sveigdalen]

Thanks for that piece of information.

Btw, when Superfish is removed, do you know if it's downloaded and reinstalled through the ThinkVantage Update Retriever? Or any other updating function?

[Puppy]

Btw, when Superfish is removed, do you know if it's downloaded and reinstalled through the ThinkVantage Update Retriever?

It is not listed in updates and I believe Lenovo would remove it now if it was. I guess the company delivering the adware is spoiled after this case.

[600X]

According to the official Lenovo statement, Superfish has disabled all server side interaction, thus effectively deactivating the product.

[killer]

Having only read about this earlier today I did a search through Windows Registry for 'Superfish'. There were 4 entries, which I deleted.

I then searched my entire PC for 'superfish' and nothing was found.

Maybe it is hidden in the chips ... super fish and chips?

[Dekks]

This is a big PR disaster, nothing like it since the Sony root kit.

[exTPfan]

Firefox doesn't use the Superfish cert as it maintains its own cert store.

That's not correct: "EFF reported that its SSL Observatory has found 44,000 Lenovo owners who are using the Superfish certificate, and that's just on the Firefox browser alone. Extrapolating from Firefox market share, we can assume that there are at least a few hundred thousand users who are now using insecure connections that can be exploited by attackers. " tomshardware.com

[Norway Pad]

And for those who want to attempt a real man-in-the-middle attack on a Superfish "infected" laptop, the route seems open: http://blog.erratasec.com/2015/02/extra ... e.html?m=1

A PR disaster, indeed. Luckily it seems like only consumer grade laptops are affected.

Superfish may have appeared on these models:
G Series: G410, G510, G710, G40-70, G50-70, G40-30, G50-30, G40-45, G50-45
U Series: U330P, U430P, U330Touch, U430Touch, U530Touch
Y Series: Y430P, Y40-70, Y50-70
Z Series: Z40-75, Z50-75, Z40-70, Z50-70
S Series: S310, S410, S40-70, S415, S415Touch, S20-30, S20-30Touch
Flex Series: Flex2 14D, Flex2 15D, Flex2 14, Flex2 15, Flex2 14(BTM), Flex2 15(BTM), Flex 10
MIIX Series: MIIX2-8, MIIX2-10, MIIX2-11
YOGA Series: YOGA2Pro-13, YOGA2-13, YOGA2-11BTM, YOGA2-11HSW
E Series: E10-30

Edit: Found this one, elaborating on the background of Superfish and it's CEO. http://www.forbes.com/sites/thomasbrews ... veillance/ Interesting read. It must be noted that there are some speculations here, but there is an apparent track back into the kind of industry that Superfish arises from.

[Dekks]

Firefox doesn't use the Superfish cert as it maintains its own cert store.

That's not correct: "EFF reported that its SSL Observatory has found 44,000 Lenovo owners who are using the Superfish certificate, and that's just on the Firefox browser alone. Extrapolating from Firefox market share, we can assume that there are at least a few hundred thousand users who are now using insecure connections that can be exploited by attackers. " tomshardware.com

Yup that's came out overnight, just reading the details now.

[nikki605]

You can test here to see if your Lenovo has Superfish

https://filippo.io/Badfish/

I have a Lenovo T410 laptop and an M83 desktop. I used the link to test both machines and neither one had Superfish installed.

[ajkula66]

Official Lenovo removal tool with instructions:

http://support.lenovo.com/us/en/product ... /superfish

[Puppy]

Windows Defender removes it now, including the certificate http://www.zdnet.com/article/microsoft- ... infection/