According to various user reports, Lenovo's new machines are coming with software called Superfish pre-installed, which acts like adware and affects Google Chrome, Internet Explorer, and Mozilla Firefox browsers on Google searches and on websites.
The presence of the software was explained by a Lenovo community administrator, Mark Hopkins, on the Lenovo forums, saying it is a visual discovery tool that analyzes images to help users find similar images and product offers.
"To be clear, Superfish comes with Lenovo consumer products only and is a technology that helps users find and discover products visually. The technology instantly analyzes images on the web and presents identical and similar product offers that may have lower prices, helping users search for images without knowing exactly what an item is called or how to describe it in a typical text-based search engine... The Superfish Visual Discovery engine analyzes an image 100 percent algorithmically, providing similar and near identical images in real time without the need for text tags or human intervention. When a user is interested in a product, Superfish will search instantly among more than 70,000 stores to find similar items and compare prices so the user can make the best decision on product and price."
However, the issue seems to be much bigger than just the spamming of ads and pop-ups, with users reporting on Lenovo's forum the software uses a self-signed root certificate that makes it look legitimate to the browser, allowing it to collect data over secure web connections (SSL/TLS).
As The Next Web notes, this malicious technique is commonly known as a man-in-the middle attack, where the certificate allows the software to decrypt secure requests.
Lenovo has been installing Superfish since September at least, if going by the first user reports.
Hopkins in his forum post in January said that Superfish software has been temporarily removed, due to its browser add-on issue, but that once a fix is available the software will be auto-updated. Users note that once the software is removed, the root certificate still remains.
"Due to some issues (browser pop up behaviour for example), with the Superfish Visual Discovery browser add-on, we have temporarily removed Superfish from our consumer systems until such time as Superfish is able to provide a software build that addresses these issues. As for units already in market, we have requested that Superfish auto-update a fix that addresses these issues.," Hopkins noted on the community forum.
Hopkins added that there is nothing wrong with the software and its working technology, and that users can choose not to have the software installed when they are setting up their laptop for the first time.