Ann Arbor Area Business Monthly
Small Business and the Internet
Go Ask Superfish
By Mike Gould
“Who Do You Trust?”
ABC game show from the late fifties
Well, not Lenovo and Oracle, that’s for sure. This time around, I’m covering the latest shenanigans from two titans in the computer industry. Lenovo is famous for buying IBM’s PC business – ThinkPads and desktops. Oracle is the 800 pound gorilla in the database hardware and software arena, and creator of the Java platform. Java is software which runs small apps (applets) in Mac and PC web browsers, among other things.
Both of these entities were in the news recently, with Lenovo outed for installing adware, and Oracle messing with Mac users’ systems via a deceptive software installer. If industry giants like these can mess with you, is anybody’s computer safe?
Lenovo and Superfish
If you let your mind drift back to the year 2005, you may recall the news that IBM had exited the personal computer business, selling everything to Beijing-based Lenovo for $1.25 billion. This instantly made Lenovo the third-largest computer maker in the world. In 2014, they bought out IBM’s server business – the System x86 and BladeCenter computers.
We’re talking about a planetary monster of a company with well-respected products including the ThinkPad legacy of high-end laptops. So what did they do? Well, for several months in 2014, they sold laptops with security-threatening malware pre-loaded onto them. That evil software was called Superfish, and it quietly broke HTTPS, the main means of secure browsing on the web. You know that little lock icon you see in your browser’s address bar when you are securely connecting to, say, bank software? That’s HTTPS – Hyper Text Transfer Protocol Secure, or HTTP over the Secure Socket Layer (SSL). Given the importance of this, this hack is bad news for everybody.
The purpose of Superfish (the maker of which is based in California, to give you an idea of the global reach of this) was to intercept your Google search requests, and feed you results that were paid for by advertisers. In return, the advertisers paid Lenovo around $250K during the period it was active. Let’s ponder that for a moment: Lenovo put its customers at a major security risk for chump change. As with most infernal infections, the devil is in the details: how this feat was accomplished.
The technical nitty-gritty is beyond the scope of this article, other than to say it involves SSL spoofing techniques and the creation of bogus security certificates. The main problem is that the technique was easy to crack and other, even more nefarious characters could use it to hack your ThinkPad beyond the annoyance of the phony search results. For this reason the US Department of Homeland Security recommended removing Superfish from all computers ASAP.
A firestorm of protest ignited across the Web once this was discovered. In addition to the DHS, Microsoft got involved and came up with a Superfish-specific addition to its Malicious Software Removal Tool (MSRT). Lenovo initially waffled, then fessed up and released instructions on removing it, followed shortly by an automated removal tool. A link to the tool is below, but a better bet is to run the MSRT.
There are reports that even though Lenovo has removed Superfish from recent builds, there are still infected units in the retail channel. Lenovo has apologized and is offering a free subscription to McAfee Internet Security to make amends. If you have recently purchased a ThinkPad, please run one of the above removers IMMEDIATELY. You’re welcome.
Superfish is an example of the pre-installed software (also called bloatware or crapware) that most PCs are saddled with. The margins on laptops and desktops are now so razor-thin that manufacturers accept money from various software companies to install their wares onto purchased hard drives. Most, if not all, of these are low-level utilities that:
Are time-limited to encourage you to buy the full version (which the manufacturer gets a cut of) Often consume system resources even if not being used by the consumer (harddrive space, etc.) Are often difficult to remove
Users, including me, have complained about this for years. After I bought my first Win laptop (URL below), I had to have a buddy come over and clean out all the junk that was taking up space on my drive.
Meanwhile, over on the Macintosh side of computing, a similar kerfluffle. Mac owners are usually blessed with a profound lack of bloatware. Apple’s margins are enormous enough that they don’t need to stoop to this.
So it came as a bit of a surprise when downloading the latest upgrade to Java, Mac users were suddenly hit with a bit of adware. As I mentioned above, Java is a good thing to have on your computer; it enables you to run applets in your browser that can be very helpful. I use one that checks my HTML code when I put up new web sites I have designed. Oracle has always inflicted the Ask application on Win users, usually as bloatware. But this is the first time they have tried it on Maccers.
Ask is a cheezy toolbar that pops up suggesting ads for things you have Google-searched. When you go to update Java, there is a pre-checked box that you have to manually un-check if you don’t want this annoyance. Once installed, it messes with your homepage setting and selects Ask as your search engine of choice. Removal instructions are below. Removing Ask still lets you run Java.
It’s an marketing jungle out there.
More Superfish technical details:
Lenovo Superfish Removal tool: http://support.lenovo.com/us/en/product_security/superfish_uninstall
My first experience with a Windows laptop:
More Ask details:
UPDATE: Alert reader Tony Audas from Computer Alley wrote in with a correction to last month’s article, “Go Ask Superfish”:
…the Lenovo Thinkpad line of notebooks never had Superfish:
Superfish was only on the consumer targeted systems, not the business systems. We think the Thinkpad notebooks are the best, that is why we have them in stock (with win7) for immediate sale.
The author regrets the error and thanks Tony for the correction.
Mike Gould once got hit with an Ask install, and was pissed, was a mouse wrangler for the U of M for 20 years, runs the MondoDyne Web Works/Macintosh Training/Digital Photography mega-mall, is a laser artist, performs with the Illuminatus 3.0 Laser Lightshow, and welcomes comments addressed to email@example.com.