[Cryptography] Lenovo laptops with preloaded adware and an evil CA

William Muriithi william.muriithi at gmail.com
Thu Feb 19 20:37:46 EST 2015


Crazy

Really, how can Lenovo fall for this?

William

  Original Message  
From: Christian Barcenas
Sent: Thursday, February 19, 2015 9:47 AM
To: cryptography at metzdowd.com
Subject: [Cryptography] Lenovo laptops with preloaded adware and an evil CA

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

There's some interesting buzz online [1][2][3] about "Superfish", a
bit of adware that Lenovo has apparently been preloading on some of
its computers over the past few months.

While preloaded adware is bad enough, Superfish does something even
worse: to allow itself to MITM SSL-/TLS-protected web traffic, it
installs a CA into the Windows trusted root certificate store. This CA
is apparently pre-generated and its corresponding private key comes
with every installation of Superfish. Furthermore, uninstalling
Superfish does not remove this CA, so all users running
Lenovo's tainted Windows installation are affected, even if they took
the time to uninstall Superfish.

A user on Twitter has apparently forged a certificate for Bank of
America's online banking system [4] and I expect that we will see more
of these shenanigans to come to light over the next few days.

According to a thread on Lenovo's customer support forum [1], they are
no longer pushing this adware on customers and are asking the
authoring company to push a fix for this ASAP. Mozilla also has an
issue on their tracker to mark the offending cert as "untrusted" in
NSS. [5]

Thoughts?

[1]
https://forums.lenovo.com/t5/Lenovo-P-Y-and-Z-series/Lenovo-Pre-instaling-adware-spam-Superfish-powerd-by/td-p/1726839
[2]
http://thenextweb.com/insider/2015/02/19/lenovo-caught-installing-adware-new-computers/
[3] https://news.ycombinator.com/item?id=9072424
[4] https://twitter.com/kennwhite/status/568270748638318593/photo/1
[5] https://bugzilla.mozilla.org/show_bug.cgi?id=1134506

- --
Christian Barcenas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJU5Yc2AAoJEJDIWKpke1EfA4IH/RUZ/g6g195FMQs843MlJ3mF
H4162211XSXxmPBaJn2vg5ibWgTSWZVpxHvpo1iZb0thJTfJW1W8Aa3rHmyo5Y89
siAM0LujFlq3KkacIfEX01QL9/fDeiYZgm73KIO4M7/1O6J+tsU9XnLS66UbR6WX
xxJ/3uqlFFaGrkykqvtEnIeOYrgqnXcHakW+uSOFPEPnOTYNcUxFXq36N4fPFM67
vL0Vbzf42aAgj5I6dlhm2Fhzo72KjpYu6x0QU2tv1UNKDbKEgnCoFjv2yOZ5Gb1h
uQx7ktUoop7vj99LKShKm64oWJ+8CE5IQEnkJ6YR3aNf17WniDcihi8TecUW7Yw=
=00Ds
-----END PGP SIGNATURE-----
_______________________________________________
The cryptography mailing list
cryptography at metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography


More information about the cryptography mailing list