Security experts call for halt to PC 'crapware' after Lenovo debacle

20.02.2015
Well, the crapware certainly hit the fan.

That was the take by security professionals Thursday, who called on Lenovo -- and other PC makers -- to stop the practice of loading third-party software on new PCs.

"Bloatware needs to stop," said Ken Westin, security analyst from security firm Tripwire, in an interview. "Companies like Apple, which sell their products on their own merits, they don't sell out their customers with this adware crap."

The practice of pre-installing software on new machines is so widespread, and has been going on so long, that it has well-worn labels, like Westin's "bloatware" or the cruder but more descriptive "crapware." Device OEMs (original equipment manufactures) load such software for financial reasons, cutting prices on the hardware so drastically -- usually in an effort to keep pace with rivals -- that the money earned from software makers is sometimes the difference between profit and loss.

OEMs are paid to load the software onto their PCs -- developers fork over money to get their programs in front of users -- and earn revenue when consumers pony up to extend the trial periods of those pre-loaded applications that come with expiration dates.

But with the latest Lenovo fiasco, crapware-as-a-security-threat has triggered a blowback much greater than the contempt and ridicule formerly assigned it by consumers. And that's going to hurt the China-based PC maker.

"We need to be able to trust our brands," said Westin. "But that's very difficult here. What else have they deployed on their PCs When they pull this kind of stuff, I know I don't want to buy a Lenovo."

Westin and others were reacting to the stance Lenovo initially took Thursday when it denied that Superfish Visual Discovery, a pre-loaded adware program billed as an image search tool that would "help customers potentially discover interesting products while shopping," was a security threat.

"We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns," Lenovo said in a Thursday statement that was subsequently altered to drop that line.

By the end of the day, Lenovo had backtracked, with its CTO, Peter Hortensius, admitting to IDG News Service -- like Computerworld>, a part of IDG -- that the company had "messed up badly."

Hortensius said that Lenovo wasn't aware of Superfish's vulnerability to abuse by cyber criminals until it was publicly disclosed by security researchers. Google security engineer Chris Palmer, launched a vigorous Twitter discussion on Wednesday after buying a new Lenovo laptop, and Robert Graham, CTO of Errata Security, outlined how he cracked the certificate's password in a Thursday blog post.

Superfish had been installed on a slew of Lenovo consumer-grade personal computers and 2-in-1s from September through December 2014. The OEM did not disclose the number of affected PCs, but listed the models, which included those in the E, G, S, U, Y and Z series, as well as ones in the Flex, MIIX and Yoga lines.

Lenovo stopped installing Superfish on its hardware last month, and at the same time disabled the software on all the devices onto which it had been loaded. The firm also promised not to install Superfish in the future. But that still left the software on PCs.

Later Thursday, Lenovo published manual instructions for removing both Superfish and the self-signed certificate that was at the root of the potential abuse. The firm also said it would soon release a tool that would scrub both the application and the certificate from its PCs automatically, and was looking into ways to auto-deliver that tool, perhaps with the help of partners Microsoft and McAfee.

"Lenovo could approach Microsoft and ask to inject a removal tool inside of Windows Update," said Andrew Storms, vice president of security services at New Context, a San Francisco-based security consultancy. "We've seen [Microsoft] do similar things in the past where they have issued killbits on ActiveX components. I suspect that the Malicious [Software] Removal Tool [MSRT] could do it."

MSRT is a Microsoft-made malware deletion tool that is refreshed each month and included with other security updates the company issues on Patch Tuesdays.

Microsoft declined to answer questions about whether it was willing to aid Lenovo, the world's largest PC seller, by using Windows Update.

For Storms, even the promised cleanup tool wouldn't be sufficient, because Lenovo owners would have to hear about it, and then download it themselves. Under those conditions, a large portion of the affected PC owners will continue to run vulnerable systems. "Lenovo needs to take a stand here and offer to remove the software from every computer," said Storms in an interview conducted over instant messaging.

But it was the practice of loading crapware onto computers that drew unanimous ire from security professionals.

"OEMs frequently undermine the security of their systems through third-party software bundles," said HD Moore, the chief research officer at Rapid7 and the creator of the open-source Metasploit penetration framework. "In the PC area, we have all sorts of privacy exposures and flat-out security issues due to unauthenticated third-party software updaters."

Westin echoed Moore, but also pointed out that with data breaches commonplace and reports of nation-state cyber spying increasing, consumers are increasingly sensitive to digital security and privacy issues, as the fast-spreading news of Lenovo's snafu demonstrated. "We're more privacy and security conscious," Westin said. "So when this sneaks past an OEM, there will be a significant impact on sales and their brand. But it's all about, 'How can we monetize these installs'"

In its statement Thursday, Lenovo claimed that the decision to pre-load Superfish was not financially motivated. "The relationship with Superfish is not financially significant; our goal was to enhance the experience for users," the company said.

"Yes, 'significant,'" countered Storms.

"The amount of pre-installed software on computers has been out of control for years," Storms added. "Every grandma who gets a new computer would never be able to remove all the so-called helpful apps installed, from browser toolbars to picture editing apps and even time-crippled AV [antivirus] software. When you get a new computer it should spanking brand new and clean."

Some PC sellers have used crapware-free machines as a tool. Microsoft, for instance, has long sold a line it's dubbed "Signature Edition," third-party personal computers that come with "no junkware or trialware."

That should be the default, not the exception, said Westin, who saw a ray of hope from Lenovo's blunder.

"The silver lining here is that people are paying attention to the security and privacy concerns about bloatware," Westin said. "Maybe a few years ago this would have all gone unnoticed."

(www.computerworld.com)

Gregg Keizer