SuperFish Vulnerability
SuperFish Vulnerability
SuperFish Vulnerability
Lenovo Security Advisory: LEN-2015-010
Potential Impact: Man-in-the-Middle Attack
Severity: High
This advisory only applies to Lenovo Notebook products.
(ThinkPad, ThinkCentre, Lenovo Desktop, ThinkStation, ThinkServer and System x products are not impacted.)
SuperFish was previously included on some consumer notebook products shipped between September 2014 and February 2015 to assist customers with discovering products similar to what they are viewing. However, user feedback was not positive, and we responded quickly and decisively:
- SuperFish has completely disabled server side interactions (since January) on all Lenovo products so that the software product is no longer active, effectively disabling SuperFish for all products in the market.
- Lenovo ordered the pre-load removal in January.
- We will not preload this software in the future.
Published reports have recently identified vulnerabilities in the software, which include installation of a self-signed root certificate in the local trusted CA store.
SuperFish intercepts HTTP(S) traffic using a self-signed root certificate. This is stored in the local certificate store and provides a security concern.
Lenovo has reached out to SuperFish to disable all server activity associated with their product. Lenovo recommends that its customers follow the instructions below to remove SuperFish and related files from their PCs. To completely remove this software, please follow the instructions on this link:
SuperFish may have appeared on these Lenovo Notebook models:
None
Revision |
Date |
Description |
1.4 | 3/17/2015 | Updated Affected Products list |
1.3 | 3/6/2015 | Added link to the 6-Month McAfee Subscription |
1.2 | 2/23/2015 | Updated Summary and Affected Products list |
1.1 | 2/20/2015 | Advisory Update |
1.0 |
2/20/2015 |
Initial Release |
Your feedback helps to improve the overall experience