Lenovo CTO admits company 'messed up' and will publish Superfish removal tool on Friday

20.02.2015
Lenovo plans to release an automated tool that will remove the Superfish adware from affected PCs on Friday, said the company's chief technical officer, who admitted that Lenovo had "messed up."

Lenovo's CTO, Peter Hortensius, told PCWorld that the company has published instructions on how customers can remove the Superfish software themselves, but promised an automated solution by week's end.

"We're removing it as thoroughly as we possibly can," Hortensius said. For our own how-to guide of how to remove Superfish, see our previous story. For Lenovo's own instructions, check out the PDF here.

Superfish bundles together visual search apps for Android and iOS, including LikeThat Decor, Pets, and Garden. The tool identifies particular objects and tries to find similar images. In 2012, the company developed WindowShopper, a technology that allowed shoppers looking for a kitchen table online, for example, to find similar products elsewhere. On Lenovo's PCs, the software stepped in to search more than 70,000 stores to find similar items, according to a Lenovo customer posting. Superfish technology was preloaded on several Lenovo consumer PCs, but Lenovo halted the practice in January.

Adi Pinhas, the chief executive of Superfish, said in a statement that the company's software had not been active on Lenovo PCs since December. "It is important to note:  Superfish is completely transparent in what our software does and at no time were consumers vulnerable--we stand by this today," he wrote. "Lenovo will be releasing a statement later today with all of the specifics that clarify that there has been no wrong doing on our end."

Superfish has not been pre-installed on PCs from other manufacturers, Pinhas added.

Superfish security risk was the real issue

Hortensius said that the Superfish software was opt-in, meaning that customers would have to approve its use. If they did so, however, the software stepped in to deliver its own ads. The real concern, however, is that it issued its own security certificates, resigning all SSL certificates presented by HTTPS sites with its own, This is also known as a man-in-the-middle attack.

"Going forward, we feel quite strongly that we made a significant mistake here, or we missed something here," Hortensius said. "We have procedures... where we asked the right questions, but we clearly didn't do a thorough enough job on this. And we're going to do a very deep investigation in what we do to make this better. We intend to do that work, and come back and let our users have input into what we need to do... and how we make sure we don't ever repeat this again."

"At the end of the day, we're seeing clearly that we messed up," Hortensius said.

Hortensius said that Lenovo and Superfish had a "minor commercial relationship," without specifying further. The Superfish adware has not been re-installed on Lenovo PCs, and Hortensius said that if it struck a similar deal, "it would not be for a very long time".

With that said, Hortensius didn't rule out adware returning to Lenovo PCs. 

"I think you do this thing right, people like information and awareness," Hortensius said, when asked whether adware would be used again. "You do them wrong, it's obviously a disaster."

(www.pcworld.com)

Mark Hachman