Lastpass - Superfish
Lastpass – Superfish

Lenovo users need to be aware that the manufacturer was pre-installing an adware program, called Superfish, on new laptops up until January 2015. The program breaks secure connections to webpages, making your online activities – including passwords and any data you enter into a webpage – vulnerable to hackers. Here’s what you need to know and how to ditch that nasty software for good.

Superfish tracking software is bloatware, installed by Lenovo to see where users go online in order to show you ads based on your online activity. The program scans for images on web pages that you visit, then shows pop-up ads with visually similar items from their advertisers. In a recent press release, Lenovo assured users that:

“Superfish technology is purely based on contextual/image and not behavioral. It does not profile nor monitor user behavior. It does not record user information. It does not know who the user is. Users are not tracked nor re-targeted.”

While this is Lenovo’s attempt to steer alarmed users away from concerns that the Superfish software was gathering data about them, there are still a number of important, and dangerous, issues caused by this software. Superfish shows users “visual price comparisons” on sites that they visit. Not only does this practice intrinsically change the browsing experience by forcing users to view ads on top of sites they visit (even those that normally would not have ads on them), the program siphons off your computer’s resources in order to do so. This results in a slower browsing experience, and frankly it’s really irritating to have pop ups prompting you to buy things every time you surf the net.

Besides the fact that it’s creepy that Lenovo would foist this invasive adware onto unsuspecting users, the way that the software collects data actually breaks your computer’s ability to establish a secure connection with sites that utilize HTTPS for just that purpose, such as financial institutions and email providers like Google and Microsoft. When you access a site with a web address that starts with https://, the site establishes a secure connection with your computer. The site produces a certificate that shows that data is not sent in plain text, making it less vulnerable to hackers who may intercept data packets on less secure channels.

In order to spy on users’ online activities, Superfish sets up a “man-in-the-middle” arrangement. It installs a self-generated root certificate into the Windows certificate store and then resigns all SSL certificates presented by HTTPS sites with it’s own certificate. The program uses this method to inject ads on encrypted sites, but in breaking the secure connection offered by HTTPS, it leaves your personal data vulnerable to hackers.

Worse, Superfish has been assigning the same root certificate with the same weak encryption key on all affected Lenovo PCs. The encryption key has already been broken and posted online, leaving all Lenovo PCs with Superfish installed vulnerable to criminals looking to take advantage of the gaping whole Superfish has created in their computer’s online security.

I have a Lenovo PC. What should I do? The first step is to determine whether or not Superfish is installed on your computer. In a press release issued by Lenovo on February 19, 2014, the manufacturer provided a list of models Superfish may have appeared on. Instead of trusting Lenovo’s list, however, I recommend that you head over to LastPass and use their Superfish detection tool. Go to to instantly determine if your computer is affected.

I have Superfish on my computer. What now? The next step is to uninstall the program. Lenovo has published a “Superfish automated removal tool” which can be accessed here:

I would recommend that affected users instead remove Superfish manually by navigating to Control Panel – Programs – Uninstall a Program and finding VisualDiscovery in the list of installed programs. After uninstalling the program, run your anti-virus software. Most anti-malware programs flag Superfish as adware (because it is…) and can remove lingering pieces of the software.

I uninstalled Superfish. Am I safe? Unfortunately, uninstalling the adware doesn’t remove the rogue root certificate that the program creates – the certificate that makes your online activity vulnerable to attack. Perhaps the easiest way to get rid of all pieces of the Superfish adware is to update and run a scan with Microsoft’s Windows Defender anti-malware program. Microsoft released an update a couple of weeks ago that removes the adware and the rogue root certificate created by Superfish.

Windows Defender typically comes enabled by default on all Windows 8 PCs. However, some manufacturers (Lenovo included) disable Windows Defender in order to activate a bundled antivirus program (often a trial version that later expires and becomes ineffective unless you pay a fee) of Norton, McAfee or the like. To reactivate Windows Defender, open your Windows search function from the side-swipe menu or from the Start screen and type “Windows Defender” in the search field.

Once Windows Defender is launched, if you see a red X and a message that “Real-time protection is turned off,” click on the Settings tab and add a check to the box next to “Turn on real-time protection.” Now you can click on the Update tab, install all updates and run a scan.

If you are more of a do-it-yourselfer, you can remove the certificate manually. Press Windows key + R on your keyboard to bring up the Run tool, then search for certmgr.msc to open your PC’s certificate manager. Click on “Trusted root certificate authorities” in the left-hand navigation pane, then double-click “Certificates” to view a list of all trusted root certificates. Find the listing for Superfish, right-click it and choose delete.

Firefox users should be aware that Superfish is able to interject itself into Firefox’s separate certificate manager. To remove it from Firefox, open the Firefox browser and then go to Options – Advanced – Certificates – View Certificates. If you see Superfish, click on it and select “Delete or Distrust.”