Superfish Security Flaw Extends Beyond Lenovo

Thursday we reported on a security flaw disguised as advertising installed on computers by Chinese computer maker Lenovo. Called Superfish, the software was supposed to add shopping results to web searches (whether you wanted them or not) and opened these machines to a terrifying security hole. As of today, this situation has only gotten worse.

Lenovo had to send out its CTO to do interviews and try to spin mitigate the PR disaster, which would be fine but there was no discussion of how bad the issue truly is. Then the Department of Homeland Security warned against the software, calling out Lenovo by name and urging users to get the software off their machines. If it weren't for the fact that this was all a blatant disregard for customers or their security, you could almost feel bad for Lenovo.

There's a nice (and by nice I mean clear but kind of scary) explanation from Filippo Valsorda and even a test available over at his site, where you can learn more and find out if any computer in your life is affected. This is the scary part. As Filippo Valsorda explained, the "engine" that powers Superfish, called Komodia, is used by other software as well, doing the only thing that could possibly have made this situation any worse by having this flaw extend outside the Superfish software. As an added bonus, this tends to be "parental control" software, allegedly another layer that should keep computer users safe.

Let's be clear: This is not a bug. This is not an instance where everyone had good intentions and something innocent has been twisted by unsavory characters. Lenovo knew full well what it was doing and how it all worked before a single machine left the factory all ready to offer up someone's information to anyone who asked. Remember that next time you need an inexpensive PC and you see a Lenovo as one of the choices. There are any number of other options that are happy to not broadcast your data. Beyond Lenovo's use, the rest of the companies using this software (which has a laughable level of security) is just plain lazy.