If you've been following the tech news this week you will
have noticed a breaking story about Lenovo bundling malware with its newlaptops. I think in many ways this is quite a sad story, because for a
reputable company to ship laptops which include software like Superfish is a
tragic indication of where the industry is at the moment.
Superfish is a piece of software that would euphemistically describe itself
as something that enhances your web experience, and it does this by inserting
targeted advertising directly into webpages that you are viewing. The average
user won't even notice the presence of the software, and will assume that the
advertising is embedded in the webpage itself, and it's the mechanism whereby
this is achieved that is particularly scary. Without boring you with the
technical details, what the software does is inject its own content directly into
the data from websites you are visiting, and it's a technique that is also used
in something called "man in the middle" attacks, where hackers use
the same technique to embed password capture elements into, for example, your
online banking website.
This in itself is frightening enough, but because the Superfish
software was poorly secured a hacker could hijack the program and use it to
fundamentally compromise the security of your computer, so that you next visit
to your online bank might actually take you directly to a site in Russia where
your banking details would be used to empty your account in pretty short order,
and because you're going to see that green certificate flag next to the website
address in your browser, your will have absolutely no idea that this is
happening.
This isn't actually a new story, with Superfish being a
regular topic of conversation in the Lenovo help forums over the last few
months, and once the vulnerability was exposed Lenovo were quick to pull the
software from all new laptops. What we don't know is whether its inclusion
resulted in any real-world attacks.
You might be wondering why Lenovo were bundling this
software in the first place, and the reason is quite simply because of the
microscopic margins on consumer laptops. When manufacturers may only be making
a profit of $5 on every laptop they sell, the temptation to include third-party
software (for which they paid) is a strong one. That's why most new
consumer laptops come bundled with all sorts of software that, if you know what
you're doing, you will remove as soon as you turn on the computer.
This is a practice that's been going on the decades in what many see as a race to the bottom, and
we've even created a word for it in the industry; crapware. You are
statistically likely to be using a computer that still contains crapware that the
manufacturer was paid to install. It's a business model that sees companies
such as McAfee and Norton enjoying a far greater share of the antivirus market
than they should based on the technical excellence of the products, so clearly
it's a sustainable business model for some, and if at the end of the day it
means that consumers are able to buy excellent laptops like the £300 LenovoEssential B50-70 then I've no problem with that for reasons I've given below.
So what should you, as a Computer Angels customer do? Well, if you bought your laptop through us, or if we prepared it for you then the answer is absolutely nothing. That's because the first thing we do when we’re preparing at Lenovo laptop for use is wipe the hard drive clean and reinstall everything from scratch. Not only does this removes the risk posed by this crapware, it also substantially increases the performance of the computer.
And if we didn’t prepare your laptop for you, and you’re
worried that you might have a copy of Superfish lurking somewhere on your
hard drive you can check for it here.