Lenovo laptops released with Superfish Adware - could lead to decryption of your secure web traffic

The security community has been buzzing over Lenovo's gaff of including Superfish Adware with their Lenovo laptops.  Superfish comes pre-installed with a compromised root CA, which is by default installed into the trusted certificate store of system web browsers.

Malicious individuals can use this root CA to generate certificates for any website and have the browser "trust" them, leaving the user entirely unaware that a third party is "listening in" on what they believe is a secure communication.  This type of attack isn't new, but the software itself completes the heavy lifting, making things a lot easier for a crook to exploit.

Lenovo made this statement on Twitter yesterday, "We're sorry.  We messed up.  We're owning it.  And we're making sure it never happens again.", taking full responsibility for the issue and offering a fix on how to completely remove the vulnerable program from the system.

Although I'm happy that Lenovo has "owned up" on this issue and offered a solution, it reminds me again of the distaste I have of computers that come pre-installed.  I miss the bygone years of getting a computer with a fresh, never been touched, harddrive and installation media and spending the first hour with my new machine telling it what software I wanted it to have.

More Information:

Lenovo Computers Vulnerable to HTTPS Spoofing
TA15-051A: Lenovo “Superfish” Adware Vulnerable to HTTPS Spoofing
Lenovo's Superfish Vulnerability and Removal Instructions