Lenovo admits to Superfish SNAFU, plans to release clean-up tool
Lenovo has admitted it "messed up badly" by pre-loading software on some consumer laptops that exposed users to possible attack, and said it will soon release a tool to remove it.
"I have a bunch of very embarrassed engineers on my staff right now," Lenovo CTO Peter Hortensius said in an interview Thursday. "They missed this."
Users have been complaining since September about the third-party program, called Superfish, which injects product recommendations into search results. But it only emerged Wednesday that the program also opens a serious security hole. The program interferes with SSL-encrypted Web traffic by installing its own root certificate in the trusted certificate store used by browsers. It then uses it to generate SSL certificates for HTTPS-enabled websites when they are visited by users. This allows it to act as a man-in-the-middle proxy between users and those secure websites.
