Industry Trends

SuperFish FAQ: Adware Shipped With Lenovo Customer Laptops

By Ruchna Nigam | February 20, 2015

It has recently been brought to light that Lenovo has been shipping a software known as VisualDiscovery by a company called Superfish with their consumer notebook products. This software is apparently not shipped with business laptops.

According to Lenovo, they shipped Superfish software with notebooks in a short window between September and December, 2014.

Lenovo has claimed it stopped preloading the software in January, 2015 and does not plan to preload it in the future.

What exactly is SuperFish?

SuperFish is a company that makes and sells visual search products.

They have been making the news this week after the revelation that their product VisualDiscovery has been shipped (preinstalled) with Lenovo laptops, a product that injects advertisements into the browser.

What is worrisome about this software is :

  • It is essentially a transparent proxy service on the computer. What this means is that any traffic to or from the browser would first pass through this software. The main purpose for this according to Lenovo was "to help customers potentially discover interesting products while shopping". However, that still qualifies it as an adware.
  • The software also works for HTTPS connections which means that it is able to intercept an HTTPS connection (seamlessly), essentially defeating the purpose of a secure connection. The software achieves this with the help of a Superfish Root Certificate Authority present on the machine.

Why is the presence of the Superfish Root CA detrimental?

Every machine generally comes with some preinstalled Root Certificate Authorities (CAs). The main purpose of a Root CA is to verify the identity of entities that a secure (HTTPS) connection is setup with - somewhat akin to a passport checking machine that checks the validity of passports at airports and detects counterfeit ones. In our context, the equivalent of a passport would be a certificate. Websites used certificates as proof of their identity, which are then verified by Root CAs at the client side.

Normally, these Root CAs are entities that are widely trusted by computer manufacturers and users, like Microsoft, and well known companies/signing authorities like Verisign, DigiCert, SecureTrust etc. This is the part of the authentication chain where human trust comes in i.e. a manufacturer assumes these signing authorities can be trusted and a consumer assumes the manufacturer is only preinstalling reliable Root CAs on the machines it sells. All other certificate operations are based on mathematical calculations that are difficult to cheat.

The blunder Lenovo did in this situation is to include the Root CA of Superfish Inc. on machines it sells, a company that doesn’t fall into the above category. This could be considered similar to a manufacturer of the passport checking machines tweaking its machine to approve counterfeit passports of a certain kind.

How can this be used in an attack?

The real damage can be caused if somehow a certificate can be created that will be approved by this Root Certificate Authority (CA). In the passport checker analogy, this would be similar to printing a counterfeit passport that would be approved by the tampered passport checking machines.

Luckily for attackers, figuring out how to do so is easier with fake certificates than with counterfeit passports. All that is needed is to figure out what the VisualDiscovery transparent proxy is doing. The figure below shows how the proxy works.

The proxy mainly intercepts HTTPS traffic, creates a certificate for the website on-the-fly and uses this certificate to pass on traffic to the browser. The certificate will be approved by the browser thanks to the Superfish Root CA on the machine.

An attacker could study this software to launch an attack by figuring out its certificate creation mechanism (already cracked by a security researcher), use the counterfeit certificate on their (possibly malicious) website, and a Lenovo machine with the Superfish Inc. Root CA present on it will authenticate it without any problem. Since the certificate creation mechanism is the same on all affected machines (same password), the same counterfeit certificate would work for all machines with the Superfish Inc. Root CA installed.

How do I know if I’m affected?


Are all browsers affected?

Internet Explorer, Google Chrome and Firefox have all been found to be affected.

How do I remove the software?

The software can be uninstalled by clicking on

Control Panel > Programs > Uninstall a program

and uninstalling VisualDiscovery from the list of software available.

How do I remove the certificate?

Uninstalling the software doesn’t remove the certificate, leaving the machine vulnerable to MitM attacks.

It can be removed manually in the following steps:

  1. Type Windows key + R
  2. Search for certmgr.msc
  3. Click on "Trusted root certificate authorities" in the left pane
  4. Double click "Certificates". This lists all installed root CAs on the machine
  5. Find the "Superfish Inc." entry, Right-click on it, Delete

Both procedures are explained with screenshots here.

What does FortiGuard do about it?

The adware is detected as Adware/SuprFish (Sig ID: 100288714)

Join the Discussion