IOActive researchers disclosed details on three patched vulnerabilities in Lenovo’s System Update mechanism.
Tag Archives: Superfish
Superfish: Lenovo goes on the bloatware offensive
Its been just under three weeks since February 19th, when Lenovo became entangled in a web of controversy over its preinstallation of Superfish’s Visual Search adware on some of its popular consumer laptops during last year’s holiday shopping season.
The post Superfish: Lenovo goes on the bloatware offensive appeared first on We Live Security.
Komodia Certificate Manipulation Likely Led To Man-In-The-Middle Attacks
The EFF’s Decentralized SSL Observatory turned up 1,600 certificates that should have been rejected but instead passed browser checks because they were manipulated by Komodia’s SSL Digester interception module.
PrivDog Adware Poses Bigger Risk Than Superfish
Another shady piece of adware called PrivDog has been unearthed with a similar Superfish-type vulnerability that breaks SSL connections.
Komodia Website Under DDoS Attack
Komodia.com, home of the SSL module at the heart of the Superfish scandal, is offline because of a DDoS attack.
Lenovo and the Superfish
This sounds like the title of a children’s book, but unfortunately the issue highlighted in the press this week is more concerning than a story. The pre-loading of the SuperFish software on the Lenovo machines introduced a vulnerability to users even before they unboxed their new laptop.
There are several issues with the pre-installed application, one is that it is an ad-injector which inserts adverts into your browser based on what you are searching for, and without being an expert at identifying these you might be directed to sites to purchase things without understanding why.
To do this more effectively, Superfish also installs a root certificate which allows them to see traffic on encrypted websites, like your banking website, that you might have considered private and secure.
This is a bit like me giving out the keys to your house and could be abused by other malicious people and used to capture passwords and other personal information.
AVG detects and removes the Superfish add-on. If you have attempted to download something it was bundled with then AVG would have detected and blocked it advising the user it was an ‘unwanted application’ and potentially harmful.
This means no part of it was ever installed – good for existing AVG users, but what about if you have purchased a Lenovo and then installed an anti-virus product, the risk here is that full removal of some parts are difficult to remove as they are embedded into the system.
This week Lenovo has been re-active to this and developed a removal tool which you can download here. There are also manual instructions available should you want to do this yourself.
There is a much wider issue for consumers though, it’s becoming very difficult to know which products and manufacturers to trust and who is doing what with our data.
There are discussions in the tech industry on improving transparency so that consumers can once again have confidence in brands.
I believe that over the next few months we will see progress in a more coordinated effort by the security industry to protect users from these types of applications.
If you are at all concerned then be sure to run a full system scan from you Anti-Virus product and ensure that the updates have been run. If you’re running an expired product then either renew it or download the AVG AntiVirus Free solution here.
Follow me on twitter – @tonyatavg
Lenovo and Superfish? Don’t panic, you may not be affected
Lenovo’s installation of a security-breaking app called Superfish on some computers has customers justifiably angry, but some folks are now unnecessarily confused by false positive detection.
The post Lenovo and Superfish? Don’t panic, you may not be affected appeared first on We Live Security.
Lenovo apologizes over pre-installed tracking software
Lenovo has issued a public apology, admitting it “messed up badly” by selling laptops with a controversial tracking software pre-installed.
The post Lenovo apologizes over pre-installed tracking software appeared first on We Live Security.