It looks like Lenovo has been installing adware onto new consumer computers from the company that activates when taken out of the box for the first time.

The adware, named Superfish, is reportedly installed on a number of Lenovo’s consumer laptops out of the box. The software injects third-party ads on Google searches and websites without the user’s permission.

Lenovo caught installing adware on new computers

Superfish appears to affect Internet Explorer and Google Chrome on these Lenovo computers.

A Lenovo community administrator, Mark Hopkins, wrote in late January that the software would be temporarily removed from current systems after irate users complained of popups and other unwanted behavior:

We have temporarily removed Superfish from our consumer systems until such time as Superfish is able to provide a software build that addresses these issues. As for units already in market, we have requested that Superfish auto-update a fix that addresses these issues.

Hopkins defended the adware, saying that it “helps users find and discover products visually” and “instantly analyzes images on the web and presents identical and similar product offers that may have lower prices.”

He also says that users can refuse the terms and conditions when setting up their laptop, which means the software will be disabled. It doesn’t sound that straight-forward, however.


Other users are reporting that the adware actually installs its own self-signed certificate authority which effectively allows the software to snoop on secure connections, like banking websites as pictured in action below.

This is a malicious technique commonly known as a man-in-the middle attack, where the certificate allows the software to decrypt secure requests, yet Lenovo appears to be shipping this software with some of its products out of the box.

If this is true — we’ve only seen screenshots so far — Superfish could be far more dangerous than just inserting advertising.


Superfish is identified by antivirus products as adware and advised to be removed. One user created a video that details how to remove the software manually, for those that are affected.

Even though Hopkins says the company has stopped installing the software on computers, it appears that’s only “temporary” until the company behind the software makes some tweaks to stop pop-ups.

Reports of Superfish being pre-loaded on Lenovo computers have appeared on forums as early as mid-2014.

If this is as widespread as it appears to be, the news is not good for Lenovo computer owners. If you own a Lenovo machine, let us know in the comments if you find the Superfish software on your machine.

We’ve contacted Lenovo for comment on the Superfish software and will update when we hear back.


Update: Mozilla Firefox does not appear to be affected by the SSL man-in-the-middle issue, because it maintains its own certificate store.

Update 2: Lenovo contacted us with the below statement and says that it has disabled the Superfish software and will not bundle it in the future. The company did not, however, respond to the root security certificate flaw and does not appear to have fixed it.

“Superfish was previously included on some consumer notebook products shipped in a short window between September and December to help customers potentially discover interesting products while shopping. However, user feedback was not positive, and we responded quickly and decisively:

1) Superfish has completely disabled server side interactions (since January) on all Lenovo products so that the product is no longer active. This disables Superfish for all products in market.

2) Lenovo stopped preloading the software in January.

3) We will not preload this software in the future.

We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns. But we know that users reacted to this issue with concern, and so we have taken direct action to stop shipping any products with this software. We will continue to review what we do and how we do it in order to ensure we put our user needs, experience and priorities first.

To be clear, Superfish technology is purely based on contextual/image and not behavioral. It does not profile nor monitor user behavior. It does not record user information. It does not know who the user is. Users are not tracked nor re-targeted. Every session is independent. Users are given a choice whether or not to use the product. The relationship with Superfish is not financially significant; our goal was to enhance the experience for users. We recognize that the software did not meet that goal and have acted quickly and decisively.

We are providing support on our forums for any user with concerns. Our goal is to find technologies that best serve users. In this case, we have responded quickly to negative feedback, and taken decisive actions to ensure that we address these concerns. If users still wish to take further action, detail information is available at http://forums.lenovo.com.”

Update 3: A developer has created a website that helps Lenovo owners quickly check if they’re affected by the root security certificate and offers suggestions on how to fix if they are.

Update 4: Lenovo has released detailed instructions on how to fully remove Superfish from affected systems.

Just over a week ago, the Superfish visual discovery software preloaded onto Lenovo consumer notebooks beginning in September 2014 created concern and frustration among our customers and the security and privacy communities. We have worked with partners to create tools and update antivirus programs to eliminate Superfish software. And an automatic removal tool is available on Lenovo.com. No ThinkPads, desktops, tablets, smartphones nor any enterprise server or storage product was impacted.

Additionally, we will offer Lenovo PC users affected by this issue a free 6-month subscription to McAfee LiveSafe service (or a 6-month extension for existing subscribers). More information will be available at Lenovo.com within 7 days.

The events of last week reinforce the principle that customer experience, security and privacy must be our top priorities. With this in mind, we will significantly reduce preloaded applications. Our goal is clear: To become the leader in providing cleaner, safer PCs.

We are starting immediately, and by the time we launch our Windows 10 products, our standard image will only include the operating system and related software, software required to make hardware work well (for example, when we include unique hardware in our devices, like a 3D camera), security software and Lenovo applications. This should eliminate what our industry calls “adware” and “bloatware.” For some countries, certain applications customarily expected by users will also be included.

Lenovo will post information about ALL software we preload on our PCs that clearly explains what each application does. And we will continuously solicit feedback from our user community and industry experts to ensure we have the right applications and best user experience.

We view these actions as a starting point. We believe that these steps will make our technology better, safer and more secure.

A researcher at OpenDNS Security Labs has developed a new way to automatically detect and block sites used to distribute malware almost instantaneously without having to scan them. The approach, initially developed by researcher Jeremiah O'Connor, uses natural language processing and other analytics to detect malicious domains before they can attack by spotting host names that are designed as camouflage. Called NLPRank, it spots DNS requests for sites that have names similar to legitimate sites, but with IP addresses that are outside the expected address blocks and other related data that hints at sketchiness.

The practice of using look-alike domain names as part of an effort to fool victims into visiting websites or approving downloads is a well-worn approach in computer crime. But recent crafted attacks via "phishing" links in e-mails and social media have gone past the well-worn "typo-squatting" approach by using domain names that appear close to those of trusted sites, registered just in time for attacks to fly under reputation-scoring security tools to make blacklisting them harder. Fake domain names such as update-java.net and adobe-update.net, for example, were used in the recently discovered "Carbanak" attacks on banks that allowed criminals to gain access to financial institutions' networks starting in January 2013 and steal over $1 billion over the next two years.

Many security services can screen out malicious sites based on techniques such as reputation analysis—checking a centralized database to see if a site name has been associated with any malware attacks. But because attackers are able to rapidly register new domains with scripted systems that look relatively legitimate to the average computer user, they can often bypass reputation checks—especially when using their specially crafted domain names in highly targeted attacks.

O'Connor's approach, which is currently being tested by OpenDNS using live DNS query traffic, gets around the reputation problem by simply analyzing the domain name itself for sketchiness. It works in a way similar to natural language processing of any stream of text content. Using patterns spotted in malicious DNS traffic, OpenDNS security researchers are training the NLPRank system to identify domain names that look similar to legitimate sites but have attributes that flag them as being suspicious.

"Essentially what we are defining is a 'malicious language' within the lexical nature of DNS traffic," O'Connor wrote in a blog post being published this morning. The "language" consists of domain names that are combinations of technology company-related text (such as "java," "gmail," "facebook," or "adobe," for example with a collection of "certain dictionary words," O'Connor explained ("install," "update," "security," or "payment," for instance).

The system then performs "sentiment analysis" on frequently queried domain names in tens of billions of DNS requests that flow through OpenDNS daily, looking for patterns like these, applying a set of ranking scores to domain names that match the pattern. "If it's a Facebook-related domain and not associated with Facebook's IP address space, that would be a negative tick," said Andrew Hay, director of security research at OpenDNS, in an interview with Ars. "Or if it was registered a day ago and administered by someone with a Russian disposable e-mail address, those would be negatives." And the system can also do HTML analysis of websites associated with the domain names to check if there's a match. "We can look at fraud websites and compare them to actual legitimate pages, see how much they differ," Hay explained.

Hay said that OpenDNS is currently fine-tuning the system to prevent false positives, but that so far NLPRank has held up well in testing. "We have used it to detect malicious phishing campaigns," he said. "And we've been able to use it to validate data in other security firms' reports, giving us additional reinforcement that it's working."

Popular password management service LastPass informed its users Monday that it had detected and blocked "suspicious activity" on its networks on Friday. LastPass works as an app or browser extension that keeps track of passwords for you, requiring only one "master password" to be remembered in order to access the rest. In a blog post, the company assured users that their passwords are completely safe, but that emails associated with accounts, and hints for their "master password" were swiped by the attackers.

"We are confident that our encryption measures are sufficient to protect the vast majority of users," wrote CEO Joe Siegrist in the post. "Nonetheless, we are taking additional measures to ensure that your data remains secure."

Anyone logging in from a new device or IP will be asked to check in via email or some other form of multi-factor authentication. And if you had a weak master password, you should probably change it, especially if your hint was "first dog's name" or something likewise revealing.

Read Immediately!!!!

Everyone running 2.90 on OS X should immediately upgrade to and run 2.92, as they may have downloaded a malware-infected file. This new version will make sure that the “OSX.KeRanger.A” ransomware (more information available here) is correctly removed from your computer.

Users of 2.91 should also immediately upgrade to and run 2.92. Even though 2.91 was never infected, it did not automatically remove the malware-infected file.

According to Trend Micro, Apple will no longer be providing security updates for QuickTime for Windows, leaving this software vulnerable to exploitation.