As you may be aware, it was recently revealed that many Lenovo computers shipped between October 2014 and December 2014 were pre-loaded with a piece of AdWare called “Superfish.” In addition to being annoying, Superfish introduces a serious security hole in the way your computer uses HTTPS on the internet. It’s gotten bad enough that the Department of Homeland Security had to advise people to remove the software. Lenovo has since gone on full damage-control, and is no longer shipping computers with Superfish pre-installed. The following is everything you need to know about this piece of AdWare.
What is Superfish?
Superfish is your typical piece of AdWare. It runs in the background on your computer and when you go to a webpage Superfish injects pop-up ads in to the page you’re looking at. It does this on all pages, regardless of whether they use HTTPS.
Why is it bad?
First of all, no one likes ads. If you happen to be someone who does enjoy pop-up ads you may want to remove Superfish anyway, and here’s why: in order to make sure that it can show you ads even on encrypted secure webpages, Superfish has to break your computer’s encryption. It does this by installing its own “root certificate.” The way that HTTPS works is that each website needs a certificate to verify its identity. If you’re interested, Wikipedia explains the details behind HTTPS and certificates fairly well. These certificates must be signed by a trusted authority such as VeriSign or InCommon. Because Superfish installs its own certificate on your computer it can pretend to be one of these trusted authorities and thus it can pretend to be any website it wants. This is what is called a “man-in-the-middle attack.”
In addition to being annoying and malicious, this was also poorly done. Superfish installed all of its root certificates using the same password, which this man figured out in 3 hours. That means that if your computer has Superfish installed, you could be vulnerable to a phishing attack or anything similar since anyone can take Superfish’s certificate and pretend to be a website they aren’t.
How do I fix this?
First of all, let’s find out whether you have Superfish or not. A nice, white-hat citizen of the internet built this website to help you figure it out. If you do have Superfish installed, Lenovo was nice enough to put out a handy uninstall guide, along with a nice automatic tool. The steps are written for Windows 8, but they should be similar if you are on Windows 7. Here’s the synopsis:
1. First, open up Control Panel and go to “Uninstall a program.” Then find Superfish in the list, select it and hit “Uninstall”
2. Go to Window’s search function and look for “Manage Computer Certificates.” Go into Trusted Root Certification Authorities, and delete the Superfish cert.
3. Finally, Firefox and Thunderbird also need to have the certificate removed manually. See the Lenovo article for instructions on how to do this.
You’re done! Remember to keep all your software up to date, and always feel free to come to UMass IT for help with security or anything else you might need.