[Cryptography] Lenovo laptops with preloaded adware and an evil CA

[John Young]

We have a Lenovo laptop, older than that reportedly infected with Superfish
adware. A search does not find the program.

Coincidentally, surely, a file named "superfish.js" appears in the 
Silent Circle
installation instructions:

http://cryptome.org/superfish-js.jpg



At 01:48 AM 2/19/2015, Christian Barcenas wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>There's some interesting buzz online [1][2][3] about "Superfish", a
>bit of adware that Lenovo has apparently been preloading on some of
>its computers over the past few months.
>
>While preloaded adware is bad enough, Superfish does something even
>worse: to allow itself to MITM SSL-/TLS-protected web traffic, it
>installs a CA into the Windows trusted root certificate store. This CA
>is apparently pre-generated and its corresponding private key comes
>with every installation of Superfish. Furthermore, uninstalling
>Superfish does not remove this CA, so all users running
>Lenovo's tainted Windows installation are affected, even if they took
>the time to uninstall Superfish.
>
>A user on Twitter has apparently forged a certificate for Bank of
>America's online banking system [4] and I expect that we will see more
>of these shenanigans to come to light over the next few days.
>
>According to a thread on Lenovo's customer support forum [1], they are
>no longer pushing this adware on customers and are asking the
>authoring company to push a fix for this ASAP. Mozilla also has an
>issue on their tracker to mark the offending cert as "untrusted" in
>NSS. [5]
>
>Thoughts?
>
>[1]
>https://forums.lenovo.com/t5/Lenovo-P-Y-and-Z-series/Lenovo-Pre-instaling-adware-spam-Superfish-powerd-by/td-p/1726839
>[2]
>http://thenextweb.com/insider/2015/02/19/lenovo-caught-installing-adware-new-computers/
>[3] https://news.ycombinator.com/item?id=9072424
>[4] https://twitter.com/kennwhite/status/568270748638318593/photo/1
>[5] https://bugzilla.mozilla.org/show_bug.cgi?id=1134506
>
>- --
>Christian Barcenas
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1
>
>iQEcBAEBAgAGBQJU5Yc2AAoJEJDIWKpke1EfA4IH/RUZ/g6g195FMQs843MlJ3mF
>H4162211XSXxmPBaJn2vg5ibWgTSWZVpxHvpo1iZb0thJTfJW1W8Aa3rHmyo5Y89
>siAM0LujFlq3KkacIfEX01QL9/fDeiYZgm73KIO4M7/1O6J+tsU9XnLS66UbR6WX
>xxJ/3uqlFFaGrkykqvtEnIeOYrgqnXcHakW+uSOFPEPnOTYNcUxFXq36N4fPFM67
>vL0Vbzf42aAgj5I6dlhm2Fhzo72KjpYu6x0QU2tv1UNKDbKEgnCoFjv2yOZ5Gb1h
>uQx7ktUoop7vj99LKShKm64oWJ+8CE5IQEnkJ6YR3aNf17WniDcihi8TecUW7Yw=
>=00Ds
>-----END PGP SIGNATURE-----
>_______________________________________________
>The cryptography mailing list
>cryptography at metzdowd.com
>http://www.metzdowd.com/mailman/listinfo/cryptography