Lenovo may have inadvertently exposed its customers to malware by preloading devices with Superfish software. The malware could potentially allow hackers to steal passwords or other sensitive information when consumers use the Web to shop, pay bills or check e-mail.

Although Lenovo is confident that the third-party software doesn’t compromise users’ safety, it has discontinued it, disabled the servers that run it and provided users with a tool to permanently remove it.

The problem affects an unknown number of computers. Lenovo said it shipped “some” laptops with Superfish between September and December last year, before it stopped because of customer complaints. That could cover a large number of machines as Lenovo shipped more than 16-million laptop and desktop machines in the fourth quarter.

Lenovo says Superfish wasn’t intended as malware; instead, it was designed to show targeted ads by analysing images of products that a user might see on the Web and then presenting “identical and similar product offers that may have lower prices”. Lenovo said the software doesn’t track users or collect any identifying information.

But some users initially complained the software shows unwanted “pop-up” ads. And this week, several independent experts reported that Superfish works by substituting its own security key for the encryption certificates that many websites use to protect users’ information.

“This means that anyone affected by this adware cannot trust any secure connections they make,” researcher Marc Rogers wrote on his blog.

What’s worse is that Superfish appears to re-use the same encryption certificate for every computer, which means a hacker who cracked the Superfish key could have broad access to a variety of online transactions.

Robert Graham, chief executive of Errata Security, boasted in a blog post Thursday that he was able to figure out the Superfish encryption password in a few hours.

Lenovo has issued the following statement in response to the threat:

“At Lenovo, we make every effort to provide a great user experience for our customers. We know that millions of people rely on our devices every day, and it is our responsibility to deliver quality, reliability, innovation and security to each and every customer. In our effort to enhance our user experience, we pre-installed a piece of third-party software, Superfish (based in Palo Alto, CA), on some of our consumer notebooks.

“We thought the product would enhance the shopping experience, as intended by Superfish. It did not meet our expectations or those of our customers. In reality, we had customer complaints about the software. We acted swiftly and decisively once these concerns began to be raised. We apologize for causing any concern to any users for any reason – and we are always trying to learn from experience and improve what we do and how we do it.
“We stopped the preloads beginning in January. We shut down the server connections that enable the software (also in January, and we are providing online resources to help users remove this software. Finally, we are working directly with Superfish and with other industry partners to ensure we address any possible security issues now and in the future.”

“To be clear: Lenovo never installed this software on any ThinkPad notebooks, nor any Lenovo desktops or smartphones. This software has never been installed on any enterprise product — servers or storage — and these products are in no way impacted. And, Superfish is no longer being installed on any Lenovo device. In addition, we are going to spend the next few weeks digging in on this issue, learning what we can do better. We will talk with partners, industry experts and our users. We will get their feedback. By the end of this month, we will announce a plan to help lead Lenovo and our industry forward with deeper knowledge, more understanding and even greater focus on issues surrounding adware, pre-installs and security. We are eager to be held accountable for our products, your experience and the results of this new effort.”

The company adds that Superfish may have appeared on these models:
G Series – G410, G510, G710, G40-70, G50-70, G40-30, G50-30, G40-45, G50-45
U Series – U330P, U430P, U330Touch, U430Touch, U530Touch
Y Series – Y430P, Y40-70, Y50-70
Z Series – Z40-75, Z50-75, Z40-70, Z50-70
S Series – S310, S410, S40-70, S415, S415Touch, S20-30, S20-30Touch
Flex Series – Flex2 14D, Flex2 15D, Flex2 14, Flex2 15, Flex2 14(BTM), Flex2 15(BTM), Flex 10
MIIX Series – MIIX2-8, MIIX2-10, MIIX2-11
YOGA Series – YOGA2Pro-13, YOGA2-13, YOGA2-11BTM, YOGA2-11HSW
E Series – E10-30