Lenovo chief issues public apology for Superfish

Lenovo’s chief technology officer has issued a public apology for the Superfish scandal, which saw the company pre-install a serious security risk on its consumer laptops. Superfish was a piece of adware installed on selected models of Lenovo’s laptop from last autumn. Aside from being an obvious irritation, the Superfish software was also flawed in its design, leaving seemingly secure connections open to hackers.

Superfish acted as a proxy, rerouting all your internet traffic via its servers. It also installed itself as a certifcate authority on users’ computers, so that it could inject ads into encrypted web pages. However, Superfish used the same private key on every computer that its software was installed on, meaning hackers could potentially use this private key to decrypt every secure bit of traffic from Lenovo laptops, including logins, passwords and private emails. Indeed, security experts managed to get hold of the poorly protected key, making the threat not only theoretical but a live risk. 

How do you remove Superfish? Find out here

Lenovo said it had stopped installing Superfish on new PCs and issued a tool to remove it from exisiting devices over the weekend, but now in full damage limitation mode, the company’s chief technology officer has issued a public apology and outlined further steps the company is taking to “protect” affected customers.

“Clearly this issue has caused concern among our customers, partners and those who care about Lenovo, our industry and technology in general,” says Peter Hortensius.  “For this, I would like to again apologise.”

Aside from issuing its own removal tools, Hortensius says Microsoft, McAfee and Symantec have also updated their security software to remove the application and the vulnerable certifcate, “which means users with any of these products active will be automatically protected”. Even if the operating system image containing Superfish is used to reinstall Windows on the affected PCs, the security software will remove it after it’s updated and runs its first scan, Hortensius claims.

Furthermore, Hortensius says Lenovo will be “working directly with users, privacy/security experts and others to create the right preload strategy quickly”, and that it will be “soliciting and assessing the opinions of even our harshest critics in evaluating our products going forward”.

The CTO reiterates that the Superfish software was never installed on Lenovo’s business-grade ThinkPad machines, lest corporate customers worry that their entire fleet of laptops is compromised, but concedes that “our reputation touches all of these areas, and all of our customers”.