The US government on Friday urged Lenovo Group Ltd customers for the removal of their "Superfish," a program pre-installed on some Lenovo laptops. The program is said to make users susceptible to cyber attacks.
The Department of Homeland Security released a statement saying that Superfish makes users vulnerable to SSL spoofing, in which remote attackers can read encrypted web traffic, redirect traffic from official websites to spoofs, and perform other attacks.
Lenovo later released an apology statement for causing these concerns among the users, and said that they are exploring every action they can to deal with the issues surrounding Superfish. "We ordered Superfish pre-loads to stop and had server connections shut down in January based on user complaints about the experience. However, we did not know about this potential security vulnerability until yesterday (Thursday)," the Lenovo statement said.
Adi Pinhas, chief executive of Palo Alto, California-based Superfish, said in a statement that the program was intended to help users achieve more significant search results based on images of products viewed. He said the vulnerability was "inadvertently" brought up by Israel-based Komodia. Komodia CEO Barak Weichselbaum refused to give comment about the issue.
"We recognize that this was our miss, and we will do better in the future. Now we are focused on fixing it." the company said, which also included offering tools to remove the software and certificate.
Lenovo said that only machines shipped from September to December of 2014 had been pre-installed with the vulnerable program. The company’s support website released a list of affected Lenovo products which include laptops in its Yoga, Flex and MiiX lines as well as its E, G, U, Y and Z series.