It looks like Lenovo has been installing adware onto new consumer computers from the company that activates when taken out of the box for the first time.
The adware, named Superfish, is reportedly installed on a number of Lenovo’s consumer laptops out of the box. The software injects third-party ads on Google searches and websites without the user’s permission.
This is bad enough as it is, but surprise surprise, the malware in question is actually horribly insecure and allows for some crazy stuff to happen.
Superfish, an adware program that Lenovo admitted in January it included as standard on its consumer PCs, reportedly acts as a man-in-the-middle” so it can access private data for advertising purposes. The adware makes itself an unrestricted root certificate authority, installing a proxy capable of producing spurious SSL certificates whenever a secure connection is requested. SSL certificates are small files, used by banks, social networks, retailers such as Amazon, and many others, to prove to incoming connections that the site is legitimate. By creating its own SSL certificates, Superfish is able to perform its advertising tasks even on secure connections, injecting ads and reading data from pages that should be private.
Do not buy Lenovo. In fact, do not buy any Windows PC that is not a Signature Experience.
That second link to the verge is missing an ‘s’, should be:
http://www.theverge.com/2015/2/19/8067505/lenovo-installs-adware-pr…
“Do not buy Lenovo. In fact, do not buy any Windows PC that is not a Signature Experience”
it shoud be common knowledge by now to Format a new PC before using it
It won’t help in this situation. Lenovo was deploying it in their control center software. You will install it alongside your drivers if not careful.
Don’t install it. Actually, it is generally a good idea to avoid vendors’ applications whenever possible.
Windows Update does a good job of installing drivers these days, so you may only need bluetooth software (Microsoft’s bluetooth drivers don’t include drivers for specific protocols) and some occasional fallouts.
Driver-hunting on websites is so old school. While you have your machine up and running (with all the unwanted software included) run this command (requires Windows 8.1 Update 1):
dism /online /export-driver /destination:U:\DriverFolderOnYourUSB
If you aren’t running that version of Windows, just make a bootable USB from the official ISO (yes, you can download those legally from Microsoft) and then from the installation screen press Shift+F10 and run the similar command:
dism /image:c:\ /export-driver /destination:U:\DriverFolderOnYourUSB
That command (dism /export-driver) will export the pure drivers, so no need to run any installers later. Just point the Update Driver dialog from Device Manager to your U:\DriverFolderOnYourUSB
Thanks for the information. Please note though, the ability to download retail .ISO files for Windows 7 is limited to retail full and upgrade versions. You can’t use the OEM COA key to obtain such an ISO from Microsoft.
In regards to the following:
That command (dism /export-driver) will export the pure drivers, so no need to run any installers later. Just point the Update Driver dialog from Device Manager to your U:\DriverFolderOnYourUSB
Where exactly during setup should this be done? When you boot from the DVD at the ‘Install Now’ screen or at selecting the type of installation?
there are other sources for that like
http://winfuture.de/downloadvorschalt,3291.html
if you understand german i highly recommend winfuture.de (they also make great update-packs)
You can’t use Windows 7 for this, it doesn’t understand the /export-driver argument. You could write a script for it (like I did in the past) but this forum is not a place for that
To get official ISO files (legally): http://windows.microsoft.com/en-us/windows-8/create-reset-refresh-m…
And you can use the Shift+F10 trick at any time during the installation, but it is probably easiest to do it at the “select where you want to install” screen because you can see the drive letters at that point
Lenovo/IBM used to do a good job there—now most of this stuff is garbage optimized to sell you something.
IBM also used to ship some bloated and pointless software, but at least they weren’t intentionally and actively working against their customer’s interest, like Lenovo is, and has been for years, if not from day one.
Sadly not, most average Joes want their computer to just work, the same way their phone, tablet and TV do. Switch it on and go online without having to take any special steps.
Unfortunately, even formatting might not be a help here because the OS isn’t provided as a separate install these days, normally it’s simply a hidden partition with a factory-supplied image on it, complete with drivers, crapware and whatever else the manufacturer decides to include. A bare OS install probably involves buying another copy of the OS, which is really crazy since you’re already paying for it within the purchase cost of the computer.
Actually you only need installation medium to make a clean install these days. ACPI tables of your laptop contain SLIC, so using OEM license key you can activate your installation of Windows just fine. I guess it is illegal in US, but it is absolutely legal elsewhere.
Unfortunately, the install disc that comes with most PCs has the foistware included. I guess it’s possible to download an OEM install disc from Microsoft and use the product key that came with the computer, but not sure.
This simply isn’t an option for most people.
I’m savvy. I work in mobile security. But at home, I just want to use my damn computer. I don’t have the time/inclination to spend endless hours screwing around with it.
Definitely not buying a Lenovo every again though. The laptop I bought (IdeaPad Y500) has hardware design flaws, and now they start doing this sort of idiotic nonsense? No thanks.
ThinkPads are still best available laptops. The only real issues known to date are:
1. Whitelists for “WLAN” mPCI-E slot.¹ (Some solutions exist,² but this is not a big deal on Intel-based Lenovos, as drivers are either readily available or soon to come for most OSes.)
2. Hardcoded UEFI menu options. (This is a big deal if you want to use UEFI, but you shouldn’t.)³
¹ http://support.lenovo.com/us/en/documents/ht001309
² http://www.thinkwiki.org/wiki/Problem_with_unauthorized_MiniPCI_net…
³ http://mjg59.dreamwidth.org/20187.html
It’s not about drivers, it’s about replacing the card with another, but the BIOS refusing it. I do not know how the newer models handle it, but on the older one I have the BIOS completely refuses to boot or let you into setup or anything if it detects an “unauthorized” card in the slot and there is no way of bypassing it other than flashing a modified BIOS.
Why would you need it?
Very much the same way, only now the BIOSes are harder to modify. FWIW I had my ThinkPad boot once with an “unapproved” card, but I failed to reproduce it.
> Why would you need it?
I have a Thinkpad with an 802.11n card and might want to upgrade my home network to 802.11ac later.
Besides, the stock Lenovo firmware is buggy as hell, and flat-out refused to boot GRUB when AMD-V (virtualization extensions) were enabled, so flashing a “dewhitelisted” BIOS solved both issues.
True, firmware is buggy as hell. But it is a market standard now, and it’s long since I’ve seen a good firmware.
P.S.: if you are talking about GRUB2, I’m not sure it was firmware’s fault though. It is the single worst Linux bootloader I’ve seen. Ever.
If the installed card stops working, for example, and there’s no warranty left? It’s a perfectly reasonable situation where you might want to replace the card. Or if you want one with support for newer standards.
This is not a valid rationale for complaining about IBM’s or Lenovo’s whitelisting policy. This whitelist is basically a sales policy, which postpones a bit of payment to the time when you’ll need to replace a part. People largerly tolerate that with phones, cars and other stuff, including custom latop parts. Lenovo basically extends that to parts.
P.S.: if you really want to circumvent it, you may use USB wireless.
You and I are going to disagree on that. I view any such whitelisting/blaclisting as something that does deserve complaining. If other companies can avoid such then IBM and Lenovo can do that, too, they just choose not to.
And have a large dongle with enormous antennas sticking out of it hanging to the side? Internal cards are much, much more useful.
Agree, although not sure whether it changes anything.
Mine is less then 0.5 cm (not counting USB connector), and its signal reception is on par with all laptop built-in anthenas I came across.
Also, Thinkpad keyboard design went to hell about 2-3 years ago. They are all poor Mac clones now, so not even close to acceptable for programming.
My ThinkPad works for me. And I don’t see how ThinkPads are MacBook clones.
Well, that sounded fanboyish, but there are actually three saling points for me in ThinkPads:
1. TrackPoint.
2. Three hardware “mouse buttons”.
3. Positive experiences in the past.
I would definitely not buy a laptop without first option, unlikely – without second, and due to the third I’m pretty sure my next laptop will be another ThinkPad.
I’ve owned every T-series and X-series from the X31 up to the T530. I am typing this on a T510. I will probably never own another Thinkpad. Build quality has been hit or miss, but the overall trend has been downward while competitors (specifically the Latitude/Precision lines and the Elitebook brand) have caught up, and in some cases, surpassed the Thinkpad.
Six row keyboards. No ability to purchase without Windows (and yes, this was a recent as two weeks ago when I tried to order the X250). No more Thinklight. Keyboards that show wear after six months, and palmrests that show wear after a year. RAM limited to 8GB, soldered onto the motherboard, with ULV processors making the new X-series less powerful than the three year old X230. Workstation-class machines that throttle down because they were so poorly designed that they would overheat otherwise. This doesn’t even factor in the atrocity that was the *40 series trackpoint…it’s obvious that Lenovo was trying to get rid of the Trackpoint in their race to the bottom whilst poorly copying Apple at the same time (as they already have on the 11″ X-series), and it backfired so badly that they had to regress and put buttons back for the trackpoint.
My theory is this: Lenovo got caught placing malware on government computers back during the T4x line, shortly after they purchased the Think-brand from IBM (okay, that’s not a theory, that’s a fact that I helped clean up). Government and large enterprise (basically, anybody with anything to lose IP wise) decided to migrate to Dell/HP/Panasonic systems. Without that business income, Lenovo decided to leverage the “Think” brand in the consumer market (remember Thinkpad Edge?). So with a new target demographic, Lenovo started making changes (because the die-hard Thinkpad buyers will always be there, so why cater to their interests?) to attract a wider audience. And it worked. Largest PC manufacturer in the world, and all that. But they have no compelling reason to build business-class machines any longer. You will not find a magnesium rollcage in a new Thinkpad (but you will find a mostly magnesium, some titanium chassis on the Elitebook, for example). The commonalities between a new Thinkpad and the T60 series (probably the pinnacle of Thinkpad design, and the highlight of the IBM/Lenovo partnership) are only vestiges that Lenovo hasn’t been able to shed yet.
Lenovo has ruined the Thinkpad brand. There are better alternatives out there, and you don’t have to support a company that purposely intercepted secure internet transactions of its consumers.
consumer and thinkpad lines are not the same… (and it’s the former why lenovo is the “Largest PC manufacturer in the world, and all that”)
I don’t run windows, so pre-installed malware doesn’t really affect me.
I do own a lenovo tablet thing, though. I bought it, wanting to install linux on it … and well … surprise surprise …
They crippled the bios so as to only accept winpe install media.
Now THAT is just evil.
Never enjoyed Lenovo, especially now. As for adware, I always use proxy servers, of course paid. Recently acquired from this source http://buy.fineproxy.org/eng/, gonna test them at my new HP laptop.
Thanks for the tip Thom. Looks good! Should include a Service called ‘Spartan Ax’ to shutdown services, protocols, etc. Should include a Child Overseeing Service. Should include a ‘per web site configuration’ Service.
I’m sure that’s all this is. There’s no way that a spurious SSL proxy, being installed by an OEM, could possibly have anything to do with the recent spying. Of course not. How silly of me.
Actually, I doubt it is spying related. This is just too clumsy… too heavy handed, dangerous.
And I’d grant you, that’s about normal for government work, but we *know* that NSA has access to much more sophisticated methods than simply having a manufacturer ship dodgy CA certificates. This just smells like incompetence….
I will say Thinkpads tend to be well supported in the open source and Linux community compared to other laptops out there and they are one of the more popular ‘certified’ vendors for Ubuntu (for example). So don’t throw them completely under the bus.
If you’re going to put Linux on it, chances are you’re also competent enough to put a clean Windows on it. In either case, you’re not the one who needs to worry about this spyware. It’s the typical users this hits the hardest and, I must say, with Lenovo’s prices they can’t even use the excuse of cutting costs to justify it.
I would be interested to kown how much superfish is paying for putting it on lenovo laptop and how much is reflected on the price of the laptop.
And I would really like to know who though this was a great idea to put a software that put ads in your user laptop, and should be condemn to use it until the end of time ( disclaimer : I am against harassment and public shaming most of the time, I do understand than these are humans making stupid decisions, but I think it would be fair for them to endure what they inflict on other users, with all the risk involved )
You, me, we might be horrified by ad-ware but for many users it is a normal experience on PCs possibly made more normal by the model being quite heavily used on Mobile phones.
This is especially so in China, Lenovo is Chinese. My experience of most user computers in China is a painfully slow computer, stuffed to the gills with ad-ware supported animated horror, I kind of Who framed Roger Rabbit inspired hell. Often running entirely on pirate-ware, ad-ware and malware (There is a good reason why Clam AV sees much of Tencents software as malware).
I recently reinstalled a clean Windows for a user, who then insisted they needed a Free English, Chinese dictionary, (must have, must have) whose ad-ware engine on its own used more resources than Core Windows components such as Explorer and massacred the PCs performance.
This experience is normal for many users who see this as how computers are. Obviously for many users as soon as they install third party software from CNET etc this will come with the almost mandatory registry cleaning malware etc. Then they will wish to add a few custom cursors or smilies. Lenovo is just starting the experience for them.
the cheaper the computer in the stores, the more BS they preload.
Dell was the worst at installing bloat ware. That’s why you purchase business class computers if you’re not building your own.
“Do not buy Lenovo. In fact, do not buy any Windows PC”
The rest of his words are irrelevant.
Just don’t use Windows. Install something else. Problem solved.
I have a Lenovo laptop and I do still have Windows installed just in case, but I practically never boot into it. Hell, the few times I do attempt to boot into it the god damn operating system just crashes anyway and drives me out of it faster than I booted into it in the first place. So in other words, this problem doesn’t really effect me.
Overall I’m happy with my laptop–well, everything other than the operating systems it came with (Windows 8 with the ability to use Windows 7–both crash and burn regularly).
Being a Chinese company you might want to consider what other benefits that gives to a Government that has no respect for privacy
in that regard i would think about usa, uk, and israel
and what did i read today?
superfish is a us-company that is run by israelis
so, just like US companies & gov…
Do not buy Windows. FTFY!
ars has an update
http://arstechnica.com/security/2015/02/ssl-busting-code-that-threa…