Superfish Only Adds to PC Users' Sense of Insecurity on the Web

By Wayne Rash  |  Posted 2015-02-24 Print this article Print
Superfish Adware

But then there's the next question: Does Superfish belong on a computer in the first place? And if it does, should the manufacturer have placed it there without their customers' consent?

Lenovo's statement about Superfish and the subsequent apology by the company's CTO say that this was all about providing a better experience for customers. Perhaps that's what the folks at Lenovo thought when they OK’d the idea. It's worth noting that this only happened on consumer laptops and that neither Superfish nor Komodia were installed on business products such as ThinkPad laptops.

But for laptops that weren't sold strictly for business, Lenovo installed a bunch of random software packages that apparently the company assumed that its customers would find useful. Superfish was one of those and Komodia was installed as a way to enable Superfish.

"While Komodia is described as a 'third party add-on' to Superfish, the problem remains the same for the end user that has bought a Lenovo computer," said senior security researcher Jerome Segura from Malwarebytes."

Komodia was clearly the bigger issue because of poor implementation and a flawed idea of intercepting encrypted communications as a man in the middle, which is the same thing that malware deployed by cyber-criminals does to break into computers. However, Superfish itself is a source of concern because while the technology looks great on paper, the application is often bundled with many 'free' programs and has been called Adware by some people."

Apparently at least part of the problem was indeed a flawed implementation.

"We're working on fixes for the Komodia SDK," said Komodia founder Barak Weichselbaum in an email.

Clearly it would be an improvement if Komodia were to fix its software so that doesn't present the gaping security hole it does now. But that still begs the question of whether Komodia or any other such software should be installed by default on a computer.

When I bought a new computer from HP last year, it did come with some of that free software, but it was included in the box on a set of DVDs. If I wanted the aftermarket video player software it was there for my use, but it wasn't on the computer when I fired it up for the first time. What was there was a limited time antivirus package and a couple of HP-specific management and maintenance packages.

In my case the reason may have been that I bought a business computer, not one of those sold to consumers at the local big box store. But shouldn't it be this way for everyone? There was a time when installing software on the hard disk had a reason, but with the ubiquity of the Internet those times are gone.

Now all that's really required are links and a description of what's available to download and install as you would find in an online app store. If the customer wants software, downloading and installing it is trivial. But regardless of whether the computer is for business or consumer use, the process has given users a chance to decide what kind of software they want to install and how much personal information they want to divulge online.



Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel