The Guru College

Superfish, or how to MITM everyone

Lenovo was just added to the list of companies I’m hesitant to ever buy anything from ever again, in any capacity. As Ars Technica reports, the Superfish adware that was installed by default on Lenovo machines presents a self-signed root CA certificate in the Trusted Roots for the system’s SSL keys. This certificate was also trivially cracked. This means, if you are running Windows as shipped on a Lenovo machine, you may well be subject to insane security breaches.

Best bet: backup your personal data, return the Lenovo, and get a new laptop from a different vendor. And when you get the new machine, wipe the drive and reinstall your OS of choice from a vendor-supplied DVD. Only then should you put your data back on the machine.

Oh, yeah, and never trust OEM supplied OS images, ever again.

Changes | Home | A Great Week For the NSA