View attachment 26832 No one likes crapware--the adware and trial software that PC and smartphone vendors put on their devices. Until recently, though we rarely got actual malware installed on new computers. Now, thanks to Lenovo and Superfish Visual Discovery adware, we didn't merely get injected ads in our search engine results, we also had our computer doors opened to man-in-the-middle Secure-Socket Layer/Transport Layer Security (SSL/TLS) attacks. Users always disliked Superfish. As early as September 2014, Lenovo buyers were complaining about Superfish's fishy search results. Lenovo, however, didn't admit to installing Superfish, and its problems, until January 2015. Then, Mark Hopkins, a Lenovo social media program manager, admitted that Superfish had "some issues (browser pop up behavior for example)," so Lenovo temporarily removed Superfish from their systems. What Lenovo didn't say was that Superfish was installing its own self-signed root certificate authority (CA), This enabled the Superfish software to void SSL/TLS connections and gave hackers a hole to be used in man-in-the-middle (MITM) attack and view the contents of any "encrypted" connections. This hole was discovered on January 21 by a Lenovo user. Lenovo, however, while no longer installing it on new systems, didn't alert users of the potential danger. This hole can be used against you no matter which Web browser you're using. Then, the problem with Lenovo consumer laptops running Windows 8.1 sold between September 2014 and January 2015, was shown to be even worse than expected. Google security engineer, Chris Palmer, showed on Twitter that Superfish was intercepting SSL/TLS connections and injecting its own self-signed certificates for all sites on his Yoga 2 laptop. This included such sites as the one for Bank of America. Read this Until Superfish fix, Lenovo devices can't be trusted for secure work Enterprise customers are not said to be affected, but millions of consumers and bring-your-own-device users are likely using compromised machines. On February 19th, the problem went from merely terrible security practice and a potential problem to being a real security hole. Robert Graham, a security hacker, extracted the password that Superfish uses for its CA and published it. This means that, as Graham put it, "I can intercept the encrypted communications of SuperFish's victims (people with Lenovo laptops) while hanging out near them at a café wifi hotspot." So, since if you're in a coffee shop right now using your new Lenovo to look at a secured Web site open in another tab, you could be having your password stolen at this moment, here's how to zap Superfish. First, you need to get rid of the program. To do that, first take the following steps: Go to Control Panel > Uninstall a Program Select Visual Discovery > Uninstall According to Lenovo, that's all you need do and besides"We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns." In part, Lenovo states this because "Superfish has completely disabled server side interactions (since January) on all Lenovo products so that the product is no longer active. This disables Superfish for all products in market." I don't buy it. If that's the case then Palmer never should have been misdirected while browsing with his Lenovo laptop on February 18th. This issue aside, the bad certificate will still be on your Windows system. To get rid of it, run the Microsoft Management Console, Mmc.exe (you need an administrator's credentials to do this), and do the following: Go to File -> Add/Remove Snap-in Pick Certificates, click Add Pick Computer Account, click Next Pick Local Computer, click Finish Click OK Look under Trusted Root Certification Authorities -> Certificates Find the one issued to Superfish and delete it.