People who associate computers check it now! Some products have big holes in Superfish.

People who associate computers check it now! Some products have big holes in Superfish.

People on Lenovo computers open it now and check whether the loophole in Superfish has been broken! It is safe for "Good,~" to appear in light blue text. Because "Yes" is out, follow the instructions described later.

A large number of complaints from the company's forums indicate that computers made by Lenovo from September to December 2014 are pre-installed with adware that "can even intercept secure transactions" at the factory stage.

The name of the software is Superfish. This is advertising software that inserts third-party ads without the user's permission when Google search results and websites open, or at least Chrome and IE have confirmed its behavior.

Ad insertion is also serious, but that's not the only problem. This guy, the self-signed certificate issued by himself, the fake SSL certificate generated, the content of SSL communications can also peep into the inadequacies. As the saying goes, "my certificate".

So what's the problem? Security expert Kenn White gives an example.

Yes, the operation on Bankame's bank account has also been fully seen by a third party!

Please look at the certificate issued by the software. The issuer of the Bank of America (issued to Bank of America) certificate. I don't know why it became "Superfish". Originally, there must be a trusted certification bureau VeriSign here. Superfish is software that examines browsing data and transmits it to advertising companies, so being able to access secure content in this way is a big and big problem.

The problem remains. As written by the user and The Verge, this Superfish, the same private key, can also be issued with the machine's root certificate.

In other words, it will be a big crisis if someone breaks the encryption key of this certificate. You can also generate certificates of trust of Lenovo PC (almost all of Taiwan at this stage) poisoned by Superfish, and you can plant bad code from the outside without being understood by the holder. Omegadez. Oh, my God!

The problem came in January when Lenovo community manager Mark Hopkins left a message saying "Lenovo removed Superfish from the consumer system first" on the company's forum. On why these things were put in the shipping phase, Superfish wrote, "to help users visually discover and understand the product," and "analyze images on the web in real time to show cheaper prices with the same products and similar products." However, if the problem is so big, we cannot say so.

After the previous article was released in the United States, the encryption key of the certificate was destroyed by Errata Security's Rob Graham. At this point, all the Lenovo machines carried by Superfish have become targets of attack. I repeat, if you have a Lenovo computer, please check at the top link to see if it is infected. It's coming now!

Lenovo made such a statement.

レノボPCの人は今すぐチェックを!一部製品にSuperfishの大穴

Oh, don't worry. However, the problem of people who have already bought Superfish computers cannot be solved at all. If the root certificate is fragile, this will be a weak link to allow external intrusions. The problem still exists.

If the result is "yes" in the top link, it is recommended that you back up the machine, clean and install Windows, or open the registry and manually delete the problem certificate.

Then again, the worst part of the series of uproar is the passage of Lenovo's statement.

When there's so much evidence on the Internet, it's a little... Although it is said that "Superfish is invalid, it is not loaded on the newly shipped PC", the people who bought it before then still have loopholes, so no matter how to replace the language will not alleviate the seriousness of the problem.

Retrospective (14:00, 2015-02-20): lenovo announced that the installation of "Superfish" is limited to a portion of consumer-oriented notebook products shipped from September to December 2014.

Retrospective 2 (8:24, 2015-02-21): the U.S. Department of Homeland Security computer Emergency response team (US-CERT) "preinstalled in September 2014, but there are also reports that other applications began bundling since 2010" and warned of immediate removal of Superfish.

Note 3 (10:21, 2015-02-21): Microsoft can detect and remove Superfish from Windows Defender, the antivirus software installed by PC. All bypassed SSL certificates will also be reset. If there is a "Yes" and there are difficulties, please update Windows Defender immediately and scan to run!

Retrospective 4 (11:32, 2015-02-21): Lenovo released the automatic deletion tool! All major browsers are supported. Contains certificate resets. You can download it through the link.

Image by 360b/Shutterstock.com

Source:TNW,The Verge

Jamie Condliffe-Gizmodo US [original]

(Satomi)