Lenovo CTO: We Have No Intention Of Shipping A Superfish Product Again

Lenovo CTO: We Have No Intention Of Shipping a Superfish Product Again

Last week, news broke that many Lenovo computers were shipped with a dangerous piece of Superfish adware, which made the computers vulnerable to malicious hacks. Now, with a class-action lawsuit looming and antivirus vendors pledging to root out the adware, Lenovo's CTO has said his company is done with Superfish.

I spoke with Lenovo CTO Peter Hortensius this afternoon, and asked him about how the company's relationship with Superfish. Hortensius has already said that the Superfish program was "adware with a security issue", and has admitted that shipping it was a mistake. Lenovo has worked with anti-virus vendors to create an update that removes the program from Lenovo computers.

But the question on many consumers' minds was how the company would deal with Superfish, their partner, who had deliberately installed what many are calling spyware. "We still have a commercial contract with them, but we have no intention of ever shipping a Superfish product," Hortensius said. "A contract changes nothing — we will not ship more Superfish products."

It seems that Lenovo has severed ties with Superfish for good.

Now it's just a question of what Lenovo is doing to clean house. I asked Hortensius whether they had figured out who was responsible for setting up the Superfish deal, and whether they would be fired or disciplined for it. He replied that the company was "relooking at all our plans and policies in this area to understand [what happened] and are dealing with these issues internally."

When I asked what precautions they would take to prevent another program like Superfish's adware from being shipped, he said Lenovo was coming up with new policies about adware and would make an announcement about them by the end of the week.

If Lenovo hopes to regain customer confidence, however, they're going to need to do more than promise not to ship Superfish products again. They need to end their contract with the company, and explain openly who set up the deal and how it happened. Finally, they need to do more than just promise not to ship adware that is so riddled with security flaws that the proposed class action lawsuit against Lenovo calls it "spyware". Maybe they could start by getting security audits on their adware done by independent analysts.


Comments

    This is a good start. I'd love to see the same focus on other companies though. I love my Samsung products, they make great phones, computers, Tablets etc, but there's always a bit of bloat associated with all of them. How much of that bloat is ad-ware? Toshiba, Asus and the rest actively install adware too. It's not really fair that Lenvo get pummelled for this.

    Last edited 24/02/15 2:15 pm

      The problem is not (principally) that it's adware. It's that it's adware that can be easily subverted to monitor your secure traffic. You could log into your bank and find that Superfish is sending copies of everything back to *their* servers.

      In theory this could include stuff like your (https-submitted) username and password, although my understanding is that it chiefly affects received, rather than transmitted, data.

      Still, it entirely misses the point of what https is for - and this, done solely to serve ads to you, which you probably aren't actually interested in. As tradeoffs go it's lacking.

Join the discussion!

Trending Stories Right Now