When news broke this morning that Lenovo has been shipping an adware program that critically breaks security certificates in every user system and undermines the entire security of HTTPS encryption, the company leapt into action — with precisely the wrong response. While it now offers some instructions on how to remove the program, it doesn’t actually repair the security flaws — in fact, it tries to pretend those flaws don’t exist. Many of you have asked how to secure an infected system — this how-to will explain how to nuke Superfish’s compromising certificates from orbit.

First, the simple part: Open Control Panel > Uninstall a Program, and choose “Visual Discovery.” Uninstall it.

Next, things get a little more complicated. Hit your Windows key (or click on the Start Menu button). Type “Certmgr.msc” (no quotes). Right click on the program that appears and choose “Run as Administrator.” You’ll need to actually type the .msc extension before the program appears — simply typing “Certmgr” isn’t sufficient.


Pic Here
Make sure you type "Certmgr.msc"



This will open the Certmgr – Certificates page, as shown below. Click on the “Trusted Root Certification Authorities.” This will open a long list of trusted authorities, as seen on the right.


Pic Here
Certmgr.msc open


Since I’m screenshotting my own system, I can’t show you what the actual Superfish entry looks like, but if you sorted in alphabetical order on an infected system you’d see this:

Pic Here

From here, right-click (make sure you click on the right certificate) and choose “Delete.” Restart your browser at a minimum (restarting your system may also be a good idea). If your system was previously infected, you can visit sites like Filippo.io and check to see if your rig is now clean. Filippo also has instructions for checking Firefox specifically if you want to make certain the Superfish cert is truly deleted.

Other developments

A few more things have happened since we wrote our first story. Lenovo has doubled-down on the “There is no risk” response and isn’t recommending actually deleting the certificate. Instead, the company is relying on a server-side patch that the Superfish folks put in place to deactivate their product for Lenovo users. Here’s what that means: If you follow Lenovo’s steps, you are still infected with a man-in-the-middle attack that uses a compromised security key. The public and private halves of that key are leaked, in the wild, and broken. The private key, “Komodia,” is still a company that earns its income selling malware tools.

When the Wall Street Journal asked if these risks were real, Lenovo responded with the following:

Quote here

Just to be clear, these aren’t theoretical problems. The entire certificate system relies on the concept of trust. Superfish breaks that chain and substitutes its own certificates in the same way that a cuckoo substitutes its own eggs in a nest. A flaw this large, shipped on millions of systems over more than six months, is begging for an exploit.

One final note. The public key for the Superfish certificate is encrypted in 1024-bit RSA. Security researchers began recommending a move away from 1024-bit keys back in 2007,NIST (National Institute of Standards and Technology) was recommending 2048-bit key adoption by 2010, with 1024-bit keys banned by 2013. Not only is this certificate broken, cracked, and a profound security hazaard — it’s compromised by key length on top of everything else.

I was close to buying a laptop from Lenovo to replace my old one. As in the past I was impressed by the quality and durability of their products. Its sad that a company that once had a reputation for quality and durability can turn its back on its customers by comprimising consumers security. Goodbye Lenovo, I won't touch you with a 10 ft pole.