Looking for an explanation of Superfish? See our article here: Lenovo “Superfish” controversy – what you need to know.
The Lenovo “Superfish” controversy was caused by the revelation that Lenovo, for the last three months of 2014, had shipped adware known as “Superfish” on some of its notebook computers.
The real problem with this software was not so much that it was adware, but that it posed a privacy and security risk.
Briefly put, Superfish:
- Installs a network filter that intercepts all your web traffic, including HTTPS.
- Carries out a so-called Man in The Middle attack to decrypt your HTTPS traffic.
- Installs a Trusted Root Certificate so that the MiTM decryption doesn’t produce any warnings.
Even if Superfish doesn’t deliberately go after any personally identifiable information in your secure transactions, you have to assume that the programmers haven’t made any blunders that might let crooks abuse its privileged position.
That, on its own, is enough of a security concern to justify the immediate removal of Superfish.
But Superfish also makes it easy for crooks to extract the private signing key it uses for its MiTM work, and to abuse that key to sign content of their choice.
Because the Superfish root certificate is authorised to sign both websites and programs, crooks can abuse it not only to trick you into trusting a fake web page, but also to trick you into trusting any software that you download from it.
In short: if you have Superfish installed, you want to get rid of it.
Remove the software
Fortunately, for all that the software is unsafe, it doesn’t seem to be devious, so you can uninstall it conventionally.
Head to Control Panel | Programs | Programs and Features and look for an entry entitled Superfish Inc. VisualDiscovery.
Right click and choose Uninstall.
Your browsing will no longer be monitored by Superfish’s MiTM filter.
Unfortunately, the Superfish uninstaller does not remove the Trusted Root Certificate it added so that it could masquerade as your bank, webmail server, company network, and so on.
Removing the certificate
To prevent future malware from taking advantage of that certificate, you should remove it.
You need to run the Windows utility called MMC, short for Microsoft Management Console.
An easy way to do this is to use the Run option from the Start menu; type in mmc as the name of the program you want to start:
Go to File | Add/Remove Snap-in... to give yourself access to the certificate management menu:
Choose Certificates and then press [Add>] and [OK] to activate the snap-in you need:
Go back the main MMC console, and click on the triangle next to Certificates in the left-most column to expand the list:
Go to Trusted Root Certificates | Certificates and scroll down until you see the Superfish certificate.
Now right-click and choose Delete:
There’s a final warning that this “might prevent some Windows components from working properly,” but in this case we want to make sure that anything relying on the Superfish certificate won’t work at all:
Click [Yes] and that should be that.
For future reference
For future reference, a good habit to adopt is clicking on the HTTPS padlock in your browser’s address bar whenever you are using a secure site.
Trickery such as that wrought by Superfish’s fake certificate is then much more obvious, because Superfish will show up as the certificate authority that vouched for the site:
If you are familiar with what to expect, the difference is obvious:
Note that if you remove the Superfish root certificate without uninstalling the Superfish software, you’ll nevertheless be safer than you were.
The fake certificates used by the Superfish filter will no longer be trusted, so you will see warnings like this:
We hope this helps!
(For more detail about Superfish, please see our article here: Lenovo “Superfish” controversy – what you need to know.)
Image of fish used in Facebook post courtesy of Shutterstock.
Charles Helps
Is Avast doing this as well? Firefox 35.0.1 / Windows 7
At first I got:
You are connected to Sophos,com
Verified by Avast! Web/Mail Shield
and trying again later the GlobalSign CA
and there’s an entry in my trusted root certificates
Paul Ducklin
You’ll have to ask Avast. But if you have a standalone computer that you want to protect with web filtering, and you want that filter to look inside HTTPS, you pretty much need to do a MiTM.
OTOH, there’s something of a difference between a security program that you chose to install that does a MiTM in order to improve your security, and an adware program that you didn’t expect that does a MiTM in order to milk your web traffic to sell clicks…
Presumably, if Avast is doing a MiTM (certainly looks like it), the product doesn’t use the same private key everywhere :-)
Les Q
There is another step when adding the Certificates add-in to the MMC. You must choose among the computer account, service account or user account. I believe the proper choice is computer account.
Paul Ducklin
i used the first option (“my own account”) which is the default, and it worked. The reason I’m not 100% sure if that is always the right choice is that I was using a version of Superfish I installed conventionally myself.
I don’t have access to a Lenovo notebook with this thing pre-installed, so I can’t be sure exactly how the “supplied with the computer” version gets installed.
Anyone out there with a pre-infected Lenovo?
jonathanpdx
No *responsible* manufacturer would install anything other than the operating system and any drivers required to run whatever peripherals exist. Unfortunately, greed removes any requirement for manufacturers to be *responsible* as it does in so many other aspects of our lives nowadays.
Steve
The greed doesn’t originate with the manufacturer. The end user customer wants to get a bargain… they want a computer with all the candy, dirt cheap, with all the software they’ll ever need included. All that stuff costs real money.
It’s very much like the situation where folks are griping about privacy policies and data sharing while they demand online services that cost absolutely nothing. There’s a price… there is ALWAYS a price!
Lenovo's Adware Stinks
Seriously !? Your gonna pull the “blame the customer card” it seems anytime a large corporation is caught behaving badly they try and to blame it on the customers. “Oh well it’s all the evil customers fault, if we didn’t do these horrible things then we couldn’t mark up the product as much and we’d make lower profits, we’ve got a god given right to make absurd profits. it’s the evil customers they made us do it.”.
The greed does originate with the manufacturer and it is not the customers responsibility to feed that greed by overpaying of an item to insure a company’s exponentially increasing profits.
The notion that the cost of the product is largely based on the cost of production is a myth, as it fails to take in to consideration the fact that the prices are inflated to whatever the market will bare. If you want an example look at shaving razors which have a markup of something like %4750 or printer ink which is up there as well.
A 38.70 billion dollar company clearly does not have an issue making money on their product, I sincerely hope this gets people extremely angry and costs lenovo huge amounts of money. To teach them and everyone else who would dare try such a thing a lesson that will never be forgot.
As you said there is ALWAYS a price and the price paid for such treachery should be extreme.
Tu
Hello, Thanks for these very easy to follow instructions on how to uninstall. I am stuck at uninstalling the certificate right now. I am working on Windows 8, I go to my “credentials”, but it seems that a certificate is not installed in there? Do you suppose I am safe and that the certificate is gone, or do you suppose that it is still hiding somewhere? Thanks! Please do advise me where I can find the certificate.