HARDWARE FIRM AND NON-FISH FAN Lenovo is pushing ahead with its Superfish cleanup and has told affected users when they can expect to get a free six months' worth of McAfee antivirus protection.
The Superfish was netted late in February and caused some concern. Lenovo promised a reparations package, and that package is now presenting itself.
In a short statement on Friday the firm said that any punters that purchased a piscean-poisoned pre-loaded PC could put up their hands and stake a claim on the protection.
"Information about the free 6 month subscription for McAfee antivirus protection for Lenovo customers who purchased a Lenovo PC pre-loaded with Superfish software is now available," it said.
"Today Lenovo is providing updated information about the free 6 month subscription (or free 6 month extension for existing subscribers) for McAfee antivirus service for Lenovo customers who purchased a Lenovo PC pre-loaded with Superfish software," says the additional information.
"We are working with Intel Security to provide this free service through an online system that will go live by March 16, when appropriate systems will be in place to process incoming requests."
Newbies will be expected to adopt a 30 day free trial of McAfee after which time they will enjoy the benefit of the six months protection. You are going to need to present your PC serial number, and have an affected machine to apply. A list of affected hardware has been released by the PC maker.
Reports have it that Lenovo may be making more work for itself, and could still be shipping affected machines. A report on Arstechnica finds two readers who were able to purchase Lenovo machines recently and catch themselves a Superfish. Lenovo told the news site that consumers with issues should contact it directly.
We reported on Superfish earlier, explaining that the third-party advertising software is a security menace, and one that you would want to avoid.
In a statement sent our way the firm explained that it meant no harm, is well sad about what happened, and is sorry. It also gave us a list of affected hardware which we can share with you (see below).
You may use this as a way into defenestrating your kit, you may use it to address your current software status and security landscape.
"We thought [Superfish] would enhance the shopping experience, as intended by Superfish. It did not meet our expectations or those of our customers. In reality, we had customer complaints about the software," Lenovo said.
"We acted swiftly and decisively once these concerns began to be raised. We apologise for causing any concern to any users for any reason. We are always trying to learn from experience and improve what we do and how we do it.
"We stopped the preloads in January. We shut down the server connections that enable the software (also in January) and we are providing online resources to help users remove this software.
"Finally, we are working directly with Superfish and with other industry partners to ensure we address any possible security issues now and in the future."
Lenovo offers information on what it is up to, and most importantly what software removal tools are available. The company confirmed that ThinkPad notebooks were spared the Superfish feature, along with Lenovo desktops and smartphones.
"To be clear: Lenovo never installed this software on any ThinkPad notebooks, or any Lenovo desktops or smartphones," Lenovo said.
"This software has never been installed on any enterprise product, servers or storage, and these products are in no way impacted. Superfish is no longer being installed on any Lenovo device."
Enough, already. On with the details. The machines that Superfish ‘may' have appeared on are as follows:
G series: G410, G510, G710, G40-70, G50-70, G40-30, G50-30, G40-45, G50-45
U series: U330P, U430P, U330Touch, U430Touch, U530Touch
Y series: Y430P, Y40-70, Y50-70
Z series: Z40-75, Z50-75, Z40-70, Z50-70
S series: S310, S410, S40-70, S415, S415 Touch, S20-30, S20-30 Touch
Flex series: Flex2 14D, Flex2 15D, Flex2 14, Flex2 15, Flex2 14(BTM), Flex2 15(BTM), Flex 10
Miix series: MIIX2-8, MIIX2-10, MIIX2-11
Yoga series: Yoga 2 Pro-13, Yoga 2-13, Yoga 2-11BTM, Yoga 2-11HSW
E series: E10-30.
Lenovo landed in customers' bad books this week when security bods cottoned on to Superfish.
That sort of thing doesn't really fly these days. People go out of their way to avoid security vulnerabilities and certainly do not elect to buy them pre-installed on their hardware. Lenovo punters are making a bit of a stink about it on the official forums.
This is not the first time that Superfish has come to the surface. Lenovo's forums were first flushed with it in early 2014, and the firm has made some acknowledgement of this. It admitted to the problem in January and announced a suspension of the service.
"Due to some issues (browser pop-up behaviour for example), with the Superfish Visual Discovery browser add-on, we have temporarily removed Superfish from our consumer systems until such time as Superfish is able to provide a software build that addresses these issues," Lenovo said.
"As for units already in the market, we have requested that Superfish auto-update a fix."
The firm added that Superfish isn't as bad as all that anyway, and can be switched off if that's what you want.
"Superfish technology is purely based on contextual/image and not behavioural. It does not profile or monitor user behaviour," the company explained in a post on the Lenovo forum.
"It does not record user information. It does not know who the user is. Users are not tracked or re-targeted. Every session is independent.
"When using Superfish for the first time, the user is presented [with] the Terms of User and Privacy Policy, and has [the] option not to accept these terms, i.e. Superfish is then disabled."
That was January, this is February and the smell of Superfish is still around. Returning forum posters, and other commentators, claim that Superfish and Lenovo combine to create an onboard man-in-the-middle attack that can get between you and your online banking provider and into your SSL-controlled session, among other things. No one wants that.
When we first asked Lenovo for its most recent information on the use of Superfish, the company said it stopped pre-loading in January 2015.
"At the same time Superfish disabled existing Lenovo machines in the market from activating Superfish. Superfish was preloaded onto a select number of consumer models only.
"Lenovo is thoroughly investigating all and any new concerns regarding Superfish."µ
