Lenovo officials are continuing to try to repair the damage from the self-inflicted wound that is Superfish, most recently offering customers impacted by the adware a six-month free McAfee subscription and a promise to become the top vendor of “cleaner, safer PCs.”
These steps, announced Feb. 27, are the latest by the world’s largest PC vendor to regain the trust of customers after it was discovered last week that for two months at the end of last year, Lenovo was preinstalling adware on some of its PCs from a small company called Superfish. The software was supposed to improve the user experience, but instead was revealed to open up a security hole by violating best practices of Web Secure Sockets Layer/Transport Layer Security by creating its own root certificate authority, which could potentially enable a man-in-the-middle attack.
The backlash against Lenovo was swift and harsh, and company officials were slow to accept responsibility, initially saying Superfish posed no security risk before admitting days later that the software was a problem.
Since then, company officials said they had been talking with industry and security experts to come up with steps affected customers could take to wipe the Superfish software from their systems, and promised to come up with ways to mend the OEM’s relationship with its customers.
The company also had to deal with a hack of its primary Website Feb. 25. The site’s Domain Name System (DNS) records were broken into, and for a short amount of time, visitors trying to get to the site were redirected and the site’s name was changed to @LizardCircle, a Twitter account associated with the Lizard Squad hacking group.
In a statement released Feb. 27, Lenovo outlined some of those steps, though it continued to try to soften the impact of the Superfish adware, noting that the “Superfish visual discovery software preloaded onto Lenovo consumer notebooks … created concern and frustration among our customers and the security and privacy communities.”
Officials also stressed that the software was preloaded between September and December 2014 only on some consumer systems, not on any ThinkPads, smartphones, tablets, desktops or enterprise servers or storage appliances.
Now Lenovo is offering affected PC users a free six-month subscription to McAfee’s LiveSafe security service—or a six-month extension for those users who already have a subscription—and officials said more information will be coming for the company within seven days.
In addition, they also said that they want to make the vendor the world’s leader in building and selling clean PCs. Starting with the launch of systems that will run Microsoft’s upcoming Windows 10 operating system, the standard image that will be loaded onto Lenovo’s PCs “will only include the operating system and related software, software required to make hardware work well (for example, when we include unique hardware in our devices, like a 3D camera), security software and Lenovo applications.”
Doing so will “eliminate what our industry calls ‘adware’ and ‘bloatware,'” they said, adding that they will be including other software for systems aimed at some countries where users expect it.
Lenovo also will post information about all the software that is preinstalled on the systems that spells out what each application does.
The effort to create clean and safe technology is similar to Microsoft’s Signature Edition initiative, in which systems bought at the Microsoft Store will have no third-party software preloaded—no programs, toolbars or screensavers, according to the software vendor.