clock menu more-arrow no yes

Lenovo CTO Admits It 'Messed Up' Allowing Major Security Hole Onto PCs

Superfish, a shopping tool preloaded on some consumer laptops, left the machines open to attack.

Re/code

Lenovo’s chief technology officer said Friday that the computer maker erred significantly by preinstalling onto consumer PCs a piece of software that made the machines vulnerable to attack.

The tool, a shopping aid called Superfish, was installed on some Lenovo consumer laptops sold between September and January. Lenovo said earlier this week that it had stopped installing the controversial software because of bad customer reviews, but initially downplayed the security concerns.

“We messed up,” CTO Peter Hortensius told Re/code. The company now confirms that the way Superfish operates could leave machines vulnerable to a “man-in-the-middle,” or MITM, attack, in which an attacker mimics both sides of a conversation to actively eavesdrop on each one. The problem stems from the fact that Superfish intercepts Web traffic, including secure traffic, using a self-signed security certificate that could be spoofed by attackers.

Lenovo, like most PC makers, makes some of its money by preinstalling certain software. Hortensius said there was a commercial relationship with Superfish, but described Lenovo’s financial benefit from the deal as “minor.”

The company has an engineering review that made sure the tool itself didn’t store customer information and had a mechanism for users to opt out, but Lenovo missed that the way the software behaved could create a situation that left machines vulnerable to an attack.

“We should have known going in that that was the case,” Hortensius said. “We just flat-out missed it on this one, and did not appreciate the problem it was going to create.”

Security researchers have demonstrated how attackers could use Superfish to create an attack, but Hortensius said Lenovo is not yet aware of actual attacks targeting customers.

That said, Hortensius said Lenovo is encouraging customers to remove the software and admitted that the company made a significant lapse in allowing it onto machines.

“We are taking our beating like we deserve on this issue,” he said.

Lenovo has posted instructions on its website for how to remove Superfish and plans to release a tool later on Friday that will make that process easier. It is also working with antivirus companies to enable those tools to remove the code. Microsoft has already added the ability to remove Superfish from PCs with its Defender tool.

Lenovo has also pledged by the end of this month to offer a more detailed plan for what it will do going forward to improve its practices.

“We are not just curled up in a ball,” he said. “We are taking real action to make this right with our customers.”

Update: Lenovo says the automated uninstall tool is now available from its Web site.

This article originally appeared on Recode.net.