The US government on Friday advised Lenovo Group Ltd customers to remove "Superfish," a programme pre-installed on some Lenovo laptops, saying it makes users vulnerable to cyberattacks. The Department of Homeland Security said in an alert that the programme makes users vulnerable to a type of cyberattack known as SSL spoofing, in which remote attackers can read encrypted web traffic, redirect traffic from official websites to spoofs, and perform other attacks.
"Systems that came with the software already installed will continue to be vulnerable until corrective actions have been taken," the agency said. Adi Pinhas, chief executive of Palo Alto, California-based Superfish, said in a statement that his company's software helps users achieve more relevant search results based on images of products viewed. He said the vulnerability was "inadvertently" introduced by Israel-based Komodia, which built the application described in the government notice.
Komodia CEO Barak Weichselbaum declined comment on the vulnerability. Lenovo apologised late on Friday in a statement for "causing these concerns among our users" and said that it was "exploring every action we can" to address the issues around Superfish, including offering tools to remove the software and certificate. "We ordered Superfish pre-loads to stop and had server connections shut down in January based on user complaints about the experience. However, we did not know about this potential security vulnerability until yesterday (Thursday)," the Lenovo statement said.