Please note: This website includes an accessibility system. Press Control-F11 to adjust the website to the visually impaired who are using a screen reader; Press Control-F10 to open an accessibility menu.

SuperFish Vulnerability

SuperFish Vulnerability

SuperFish Vulnerability

Lenovo Security Advisory: LEN-2015-010
Potential Impact: Man-in-the-Middle Attack
Severity: High

Summary:

This advisory only applies to Lenovo Notebook products.
(ThinkPad, ThinkCentre, Lenovo Desktop, ThinkStation, ThinkServer and System x products are not impacted.)


SuperFish was previously included on some consumer notebook products shipped between September 2014 and February 2015 to assist customers with discovering products similar to what they are viewing. However, user feedback was not positive, and we responded quickly and decisively:

  1. SuperFish has completely disabled server side interactions (since January) on all Lenovo products so that the software product is no longer active, effectively disabling SuperFish for all products in the market.
  2. Lenovo ordered the pre-load removal in January.
  3. We will not preload this software in the future.

Published reports have recently identified vulnerabilities in the software, which include installation of a self-signed root certificate in the local trusted CA store.

Description:

SuperFish intercepts HTTP(S) traffic using a self-signed root certificate. This is stored in the local certificate store and provides a security concern.

What you should do:

Lenovo has reached out to SuperFish to disable all server activity associated with their product. Lenovo recommends that its customers follow the instructions below to remove SuperFish and related files from their PCs. To completely remove this software, please follow the instructions on this link:

Affected Products

SuperFish may have appeared on these Lenovo Notebook models:

E-Series:
E10-30
Edge Series:
Lenovo Edge 15
Flex-Series:
Flex2 14, Flex2 15, Flex2 14D, Flex2 15D, Flex2 Pro, Flex 10
G-Series:
G410, G510, G710, G40-30, G40-45, G40-70, G40-80, G50-30, G50-50, G50-45, G50-70, G50-80, G50-80Touch
Miix-Series:
Miix2 – 8, Miix2 – 10, Miix2 – 11, Miix 3 - 1030
S-Series:
S310, S410, S415, S415 Touch, S435, S20-30, S20-30 Touch, S40-70
U-Series:
U330P, U430P, U330 Touch, U430 Touch, U530 Touch
Y-Series:
Y430P, Y40-70, Y40-80, Y50-70, Y70-70
Yoga-Series:
Yoga2-11, Yoga2-13, Yoga2Pro-13, Yoga3 Pro
Z-Series:
Z40-70, Z40-75, Z50-70, Z50-75, Z70-80
Acknowledgements:

None

Revision History:

Revision

Date

Description

1.4 3/17/2015 Updated Affected Products list
1.3 3/6/2015 Added link to the 6-Month McAfee Subscription
1.2 2/23/2015 Updated Summary and Affected Products list
1.1 2/20/2015 Advisory Update

1.0

2/20/2015

Initial Release


Alias Id:SUPERFISH
Document ID:PS500035
Original Publish Date:06/17/2016
Last Modified Date:08/28/2017