Lenovo (0092.HK) poisoned some of its customers’ computers with an app that opened a huge vulnerability in secure web transactions, but it’s not alone. Researchers found another dozen apps over the weekend that also compromise secure web communications in the same way. So there’s no better time than now to check your computer and remove any useless software your PC manufacturer put there.
The core problem is that PC makers like Lenovo, Hewlett-Packard (HPQ) and others make such slender profit margins selling computers that they’re all too eager to take payments from software companies to pre-install extra apps, services, toolbars and so on, sometimes referred to as “bloatware” or, more colorfully, “crapware.
Some of the additions may be useful and other bits harmless, but very little is necessary. And the impact on a computer’s speed and security is generally not good.
I bought an expensive Lenovo Thinkpad laptop two years ago that had, among many other add-in programs, an app called Nitro Pro PDF. I didn’t need it, or even use it. It may not have mattered but a few weeks after I bought the machine, it stopped receiving Windows 8 updates, even critical security updates. Eventually, it turned out that the culprit was an incompatibility in the Nitro Pro app. Fully removing the unwanted app fixed the problem – which had plagued me and many other Lenovo customers for weeks – instantly.
In the more recent Lenovo case, the company installed a program called Superfish. The app is designed to intercept all web traffic from a consumer’s computer and insert additional advertisements. That doesn’t sound like something many people would want in the first place. And to get access to a user’s web traffic, including encrypted communications, the app swapped out a key digital component of secure Internet communications known as a root certificate.
A browser’s root certificate helps encode communications back and forth with a secure web site, such as a bank or email service, so that messages can’t be read by anyone else. The problem was that the replacement certificate from Superfish could be easily cracked by hackers, who could then pose as the secure web site and steal a user's passwords or other sensitive data.
Lenovo, currently the world's biggest PC supplier, says it pre-installed the app on consumer PCs shipped between September and January, but has since stopped. And it posted instructions for removing Superfish.
Meanwhile, on Monday, Chief Technology Officer Peter Hortensius said the company was reviewing its policy of preloading software and might offer a "cleaner" option on new PCs.
The vulnerability was considered so serious that the Homeland Security Department’s Computer Emergency Readiness Team issued an alert, as well, with additional advice for detecting and removing Superfish. Microsoft (MSFT) also got into the act and added Superfish removal to its Windows Defender antivirus app.
Over the weekend, researchers at Facebook (FB) reviewed data from the millions of browsers that contact the company’s web site and found similarly weakened root certificates installed by other apps, not just Superfish. The culprits were a mixed bag of games, adware and other apps of unknown purpose. Eventually, antivirus programs should be updated to eliminate these weakened root certificates and restore browsers’ proper certificates.
So what can you do to avoid this mess?
If you have a recently purchased Lenovo PC, there are several web sites with instructions for how to remove Superfish and all its traces. It’s critical to remove not just the program but also the compromised root certificate.
In general, there are two approaches to avoiding bloatware. One is to buy computers that come clean out of the box – Apple (AAPL) is the only major maker that doesn’t install bloatware, but if you need or prefer a Windows computer you can purchase one via Microsoft’s “Signature” program.
Just know that Apple computers and the PCs in Microsoft’s program cost more. If you’re under a tight budget and you buy a computer with bloatware, or you did in the past, there are programs such as Revo and Decrap, which you can use to remove it. It's probably the best way to avoid becoming a victim of the next Superfish debacle.