Potential Impact: Man-in-the-Middle Attack
Severity: High
Summary:
This advisory only applies to Lenovo Notebook products.
(ThinkPad, ThinkCentre, Lenovo Desktop, ThinkStation, ThinkServer and System x products are not impacted.)
Superfish was previously included on some consumer notebook products shipped between September 2014 and February 2015 to assist customers with discovering products similar to what they are viewing. However, user feedback was not positive, and we responded quickly and decisively:
Vulnerabilities have been identified with the software, which include installation of a self-signed root certificate in the local trusted CA store. The application can be uninstalled; however, the current uninstaller does not remove the Superfish root certificate.
Description:
Superfish intercept HTTP(S) traffic using a self-signed root certificate. This is stored in the local certificate store and provides a security concern.
Mitigation Strategy for Customers (what you should do to protect yourself):
Lenovo has reached out to Superfish to disable all server activity associated with their product. To completely remove this software, please follow the instructions on this link:
Superfish Removal Instructions
Affected Products
The following Lenovo notebooks may be affected:
E-Series:
E10-30
Flex-Series:
Flex2 14, Flex2 15
Flex2 14D, Flex2 15D
Flex2 14 (BTM), Flex2 15 (BTM)
Flex 10
G-Series:
G410
G510
G40-70, G40-30, G40-45
G50-70, G50-30, G50-45
M-Series:
Miix2 – 8
Miix2 – 10
Miix2 – 11
S-Series:
S310
S410
S415; S415 Touch
S20-30, S20-30 Touch
S40-70
U-Series:
U330P
U430P
U330Touch
U430Touch
U540Touch
Y-Series:
Y430P
Y40-70
Y50-70
Yoga-Series:
Yoga2-11BTM
Yoga2-11HSW
Yoga2-13
Yoga2Pro-13
Z-Series:
Z40-70
Z40-75
Z50-70
Z50-75
Acknowledgements:
None
Other information and references:
TBD
Revision History:
|
Revision |
Date |
Description |
|
1.0 |
2/19/2015 |
Initial Release |