backtop


Print

Pledge comes after Lenovo root certificate to spam firm triggered serious security panic

In the face of recent criticism about its bundled software offerings on its desktop and laptop PCs, the Lenovo Group, Ltd. (HKG:0992) has agreed to pare down its installation image, removing so-called "adware" or "bloatware."

Based jointly in Beijing, China, and Morrisville, North Carolina, United States, the multi-national device maker was the world's top PC seller by volume in 2014, according to the IDC Group and Gartner Inc. (IT).

The pledge won't affect certain pieces of in-house Lenovo software, which it deems necessary for providing support for onboard hardware (e.g. camera firmware and supporting software, etc.).  The promise also won't fully take hold until Windows 10, except for a specific software package which Lenovo immediately discontinued (read on).

Lenovo -- Thinkpad convertible

Lenovo's official statement was surprisingly frank in acknowledging the harsh criticism leveled against it, commenting:

We are starting immediately, and by the time we launch our Windows 10 products, our standard image will only include the operating system and related software, software required to make hardware work well (for example, when we include unique hardware in our devices, like a 3D camera), security software and Lenovo applications. This should eliminate what our industry calls "adware" and "bloatware." For some countries, certain applications customarily expected by users will also be included.

Junkware on PCs shipping to consumers is an industry-wide problem.  That said a dangerous tactic in a piece of adware called "Superfish" discovered earlier this month has caused Lenovo to face some of the strongest backlash of any firm.

Yang Yuanqing
Lenovo CEO Yuan Yuanqing came under criticism when it was revealed that Lenovo was compromising user security to peddle ad popups. [Image Source: AFP]

The complaints began in Lenovo's forums when the adware's privileges were first unmasked.  Lenovo was found to be offering the offending app a root level signed security certificate and software to connect to a third party proxy server.  The end goal was to send Lenovo's ad partner's popup ad spam.   And if spam wasn't bad enough, security professionals also quickly pointed out that the root level certification meant that anyone signed by Superfish could freely impersonate legitimate websites. Such impersonation opens the door to identity-stealing malware. Lenovo first offered up tools to uninstall SuperFish software and its certificate.  But as coverage of the issue built up, it finally begrudgingly agreed to phase out the dangerous adware/bloatware, which overall made up only a small part of its revenue stream.  It also has stopped installing Superfish on new PCs.

The issue bears some similarity to Sony Corp. (TYO:6758) who last decade was caught installing rootkits on users' computers in order to implement digital rights management protections.

Fortunately there have been no known reports of users having their information stolen via the gaping SuperFish hole.  It appears Lenovo may have addressed the issue in time before it caused some serious damage to customers.

Sources: Lenovo, via Neowin, TNW





"If you mod me down, I will become more insightful than you can possibly imagine." -- Slashdot













botimage
Copyright 2017 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki