Today, Lenovo unveiled its post-Superfish plan for consumer PCs as well as how it intends to compensate affected customers. The company notes that it has worked with industry partners to create removal tools and update antivirus software. Affected customers will receive a free six-month subscription to McAfee LiveSave or a six-month subscription extension if you’re already buying the service. More information on this will be posted within a week.

Going forward, Lenovo has promised to offer a fundamentally different PC experience. By the time Windows 10 launches, the Chinese OEM will only include the operating system and related software in its standard device image. Lenovo further clarifies that “related software,” in this case, means driver software and utilities directly tied to the operation of the underlying hardware. RealTek’s Audio Manager, for example, is the kind of application that could still be bundled on a Lenovo system.

Lenovo claims that this will eliminate bloatware and adware, though it does leave itself a small amount of wiggle room. The statement says that “For some countries, certain applications customarily expected by users will also be included.”

The company has also pledged to “post information about ALL software we preload on our PCs that clearly explains what each application does.” [Emphasis original]. These plans, meanwhile, are characterized as just the starting point for future unspecified programs or projects with the goal of improving device security and regaining user trust.


A mixed response

Lenovo’s stated plan is excellent in some ways and falls far short in others. The company continues to rely on mealy-mouthed non-statements that deflect blame and obfuscate meaning. The first sentence of its latest missive is:

“Just over a week ago, the Superfish visual discovery software preloaded onto Lenovo consumer notebooks beginning in September 2014 created concern and frustration among our customers and the security and privacy communities.” The company goes on to recommend that users check Lenovo.com for details on how to remove Superfish, so let’s look at how that information is being conveyed.

The image below shows Lenovo.com (at 67% of native size to fit the entire page in a single screenshot). Expand the image back to 100% and you’ll see that the “Statement on Superfish” is buried below the fold, at the bottom of the page. That’s not how you deal with an actual problem.

Pic Here

Contrast that with the company’s actual text with this (hypothetical) response: “A week ago, security researchers discovered critical security vulnerabilities within the Superfish Visual Discovery software that Lenovo preloaded on laptops from September to January 2014.” Lenovo’s entire strategy at the PR level has been to downplay this flaw and play it off on a handful of security researchers, though individual executives have taken more responsibility in interviews. Moreover, there’s now evidence that the Komodia software Superfish relied upoon was exploited in the wild.

According to the EFF, the Decentralized SSL Observatory contains more than 1600 entries of invalid certificates that Komodia-infested systems should have rejected, but didn’t. Afffected domains included Google, Gmail, Yahoo, Login.Yahoo.com, Bing, Windows Live Mail, Amazon, Ebay, Twitter, Netflix, and multiple banking websites. Some of these certificates may have been inadvertently invalid, but the EFF believes it’s highly unlikely that they all were.

In this context, Lenovo’s offer of a six-month subscription to an anti-virus service is insulting compared to the value of the personal data that may have been stolen or intercepted.

In contrast, the company’s long-term plan to eliminate adware and bloatware will be well-received. These programs have trashed Windows installs for decades and left brand-new computers chugging like five-year-old machines. Happy as I am to see these long-term changes, I remain fundamentally unconvinced that Lenovo has confronted the magnitude of its own screw-up. Until it does so, I won’t recommend its hardware for any purpose.


Source