Lenovo has been shipping its PCs with built-in malware that is a new level of insidiousness and nasty. Before I explain what it does, if you have a Lenovo machine, or know someone who does, go now to this site and see what it says.
What is going on? It turns out that Lenovo, either by design or by sheer stupidity, has included a piece of software called a root certificate, from this company Superfish. Now, if you aren’t a computer expert, this is probably meaningless to you. So let me break it down. With this Superfish certificate, every site that you go to in your browser using the HTTPS protocol is subject to being exploited by some bad guys. Chances are, it may not happen to you.
In any case, you want to remove this thing pronto. Here are the instructions from Lenovo.
Back in those innocent days of the early Web, we use to say add the S for security when you were browsing. This forces an encrypted connection between you and the website that you are visiting, so your traffic over the Internet can’t be captured and exploited.
But having a bad certificate turns this completely around: with it, you can decrypt this traffic, indeed, you can manipulate the web browsing session in such a way that you might not even realize that you are going to ThievesRUs.com instead of your trusted BankofWhatever.com. While no one has yet reported that this has happened, it is only a matter of time. There is a great article explaining this exploit on ArsTechnica here.
Certificates are the basic underpinnings of secure infrastructure, they are used in numerous other situations where you want to make sure that someone is who they say they are. By using a bad certificate, such as the one from Superfish, you throw all that infrastructure into disarray.
To get an idea of how many certs you use in your daily life, open up your browser’s preferences page and click on over to the Certs section, there you will dozens if not hundreds of suppliers. (see screenshot at left) Do you really trust all of them? You probably never heard of most of them. On my list, there are certs from the governments of Japan and China, among hundreds of others. You really have no way of knowing which of these are fishy, or even superfishy.
This isn’t the first time that bad certs have popped on on the Intertubes. There have been other situations where malware authors have signed their code with legit certs, which kinda defeats the whole purpose of them. And back in 2012, Microsoft certificates were used to sign the Flame malware; the software vendor had to issue emergency instructions on how to revoke the certs. And in 2011, the Comodo Group had issued bogus certs so that common destinations could have been compromised.
It is getting harder to keep track of stuff and stay ahead of the bad guys, even when they don’t have the auspices of a major PC manufacturer behind them.