Evening, Forwarding this to this list as I am aware thinkpad is popular. Looks though like Lenovo is shipping a really dirty adware How can they have fallen for this? Regards, William Original Message From: Christian Barcenas <christian@cbarcenas.com> Sent: Thursday, February 19, 2015 9:47 AM To: cryptography@metzdowd.com Subject: [Cryptography] Lenovo laptops with preloaded adware and an evil CA -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 There's some interesting buzz online [1][2][3] about "Superfish", a bit of adware that Lenovo has apparently been preloading on some of its computers over the past few months. While preloaded adware is bad enough, Superfish does something even worse: to allow itself to MITM SSL-/TLS-protected web traffic, it installs a CA into the Windows trusted root certificate store. This CA is apparently pre-generated and its corresponding private key comes with every installation of Superfish. Furthermore, uninstalling Superfish does not remove this CA, so all users running Lenovo's tainted Windows installation are affected, even if they took the time to uninstall Superfish. A user on Twitter has apparently forged a certificate for Bank of America's online banking system [4] and I expect that we will see more of these shenanigans to come to light over the next few days. According to a thread on Lenovo's customer support forum [1], they are no longer pushing this adware on customers and are asking the authoring company to push a fix for this ASAP. Mozilla also has an issue on their tracker to mark the offending cert as "untrusted" in NSS. [5] Thoughts? [1] https://forums.lenovo.com/t5/Lenovo-P-Y-and-Z-series/Lenovo-Pre-instaling-ad... [2] http://thenextweb.com/insider/2015/02/19/lenovo-caught-installing-adware-new... [3] https://news.ycombinator.com/item?id=9072424 [4] https://twitter.com/kennwhite/status/568270748638318593/photo/1 [5] https://bugzilla.mozilla.org/show_bug.cgi?id=1134506 - -- Christian Barcenas -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJU5Yc2AAoJEJDIWKpke1EfA4IH/RUZ/g6g195FMQs843MlJ3mF H4162211XSXxmPBaJn2vg5ibWgTSWZVpxHvpo1iZb0thJTfJW1W8Aa3rHmyo5Y89 siAM0LujFlq3KkacIfEX01QL9/fDeiYZgm73KIO4M7/1O6J+tsU9XnLS66UbR6WX xxJ/3uqlFFaGrkykqvtEnIeOYrgqnXcHakW+uSOFPEPnOTYNcUxFXq36N4fPFM67 vL0Vbzf42aAgj5I6dlhm2Fhzo72KjpYu6x0QU2tv1UNKDbKEgnCoFjv2yOZ5Gb1h uQx7ktUoop7vj99LKShKm64oWJ+8CE5IQEnkJ6YR3aNf17WniDcihi8TecUW7Yw= =00Ds -----END PGP SIGNATURE----- _______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography