Lenovo notebooks face massive web security flaw—here's how to fix it

Lenovo Z Series

In January, hardware manufacturer Lenovo admitted that a software known as Superfish came pre-installed on some of the company's consumer notebooks, such as the otherwise excellent Y50. Great hardware, but this software? Not good. Not good at all. Superfish is a kind of adware that Lenovo claimed would "help customers potentially discover interesting products while shopping." Alternatively: it's advertising software that can potentially make your notebook vulnerable to all kinds of nastiness.

Superfish reportedly acts as a "man-in-the-middle," making itself an unrestricted root certificate authority. What does that mean? It's able to create its own SSL certificates in order to perform its advertising tasks even on secure connections. This means that users' private browsing data was potentially vulnerable even on https:// connections with that handy little lock. If you're using a Lenovo laptop, your web browsing's probably not as secure as you assumed.

Security experts were quickly and easily able to identify ways hackers could take advantage of this vulnerability. The Superfish bug essentially breaks fundamental web security protocols by routing all encryption through a single gate—the password-protected certificate authority owned by Superfish, which it turns out was trivial to extract.

If you have a Lenovo system, you should check to see if you're affected by Superfish. There's an easy solution: Security researcher Filippo Valsorda has created a quick test to see if you're vulnerable, which includes a link to removal instructions if you are indeed at risk. It should only take about five minutes, and the instructions are easy to follow.


We recommend