Lenovo Computers Vulnerable to Hacks Thanks to Superfish

We recently learned that PC manufacturer Lenovo is selling computers preinstalled with a dangerous piece of software, called Superfish, that uses a man-in-the-middle attack to break Windows’ encrypted Web connections for the sake of advertising.

Research from EFF’s Decentralized SSL Observatory has seen many thousands of Superfish certificates that have all been signed with the same root certificate, showing that HTTPS security for at least Internet Explorer, Chrome, and Safari for Windows, on all of these Lenovo laptops, is now broken.

For example, shortly after this news became widespread, security researcher Robert Graham was able to extract the certificate from the Superfish adware and quickly cracked the password. With this password, a malicious attacker would be able to intercept encrypted communications on the same network (like at a cafe Wi-Fi hotspot).

To find out if this issue affects you, go to Filippo Valsorda’s Superfish CA test page in Internet Explorer or Chrome first.