How Lenovo's dangerous Superfish adware put its customers at risk

The Internet is lighting up with warnings about Superfish, an adware program that came preinstalled on many Lenovo laptops in the past six months. Like a lot of the bloatware that comes on new computers, Superfish exists to help push advertising, not to serve any real consumer need. That would be annoying enough, but Superfish seriously undermines the user's safety, according to many security experts.  

Superfish is a piece of third-party software that Lenovo installed to, as it says in its apology to consumers, "enhance the shopping experience." That means it's meant to help advertisers target potential customers. But security experts say the software makes it easy for cybercriminals to intercept your data as it travels from your computer out to the Internet.

That's because of the way Superfish deals with what's called a root certificate. These certificates tell your computer what content to trust when you go to a secure site. The problem is, in order to place ads, Superfish installs its own root certificate that allows it to intercept and unencrypt your encrypted communications. Even if Lenovo's paying customers don't mind Superfish intruding in that way, they should be concerned because the software opens their communications to a malicious man-in-the-middle attack by hackers.

"What they would get is everything passing out of your machine—every password, every bank-account number, every e-mail," said Professor Fred Cate, founding director and senior fellow at the Center for Applied Cybersecurity Research at Indiana University's Maurer School of Law. "It's pretty dire, but we don't know yet if anyone has exploited it."

Find out which free security software provides the best protection from malware. And check our computer buying guide and Ratings. 

The affected computers were laptops shipped between September 2014 and February 2015. Check out the complete list, which includes dozens of models.

If you own one of these laptops, uninstall Superfish and its certificate immediately. Microsoft confirms that its Windows Defender security software removes both. If you don't already have it, you can download Windows Defender.

You also can remove Superfish manually using these instructions, which are basically just a typical software uninstall. You must also remove the certificate manually, by searching for and deleting it. Instructions for doing that are on the same page.

What's really needed is a one-button solution to get rid of Superfish and its certificate, said Cate. Without that, he added, "it will be weeks before people get it off."

Let's hope that Lenovo and Superfish are working overtime to get that one-step fix out to consumers.

—Donna Tapellini