US-CERT Alert – Lenovo Superfish Adware

Last week the National Cyber Awareness System issued an alert regarding Superfish which I also touched on. Today the US-CERT issued an update regarding the Superfish security flaw:

TA15-051A: Lenovo Superfish Adware Vulnerable to HTTPS Spoofing

Original release date: February 20, 2015 | Last revised: February 24, 2015

Systems Affected

Lenovo consumer PCs that have Superfish VisualDiscovery installed.


Superfish adware installed on some Lenovo PCs install a non-unique trusted root certification authority (CA) certificate, allowing an attacker to spoof HTTPS traffic.


Starting in September 2014, Lenovo pre-installed Superfish VisualDiscovery spyware on some of their PCs. This software intercepts users’ web traffic to provide targeted advertisements.  In order to intercept encrypted connections (those using HTTPS), the software installs a trusted root CA certificate for Superfish. All browser-based encrypted traffic to the Internet is intercepted, decrypted, and re-encrypted to the user’s browser by the application – a classic man-in-the-middle attack.  Because the certificates used by Superfish are signed by the CA installed by the software, the browser will not display any warnings that the traffic is being tampered with.  Since the private key can easily be recovered from the Superfish software, an attacker can generate a certificate for any website that will be trusted by a system with the Superfish software installed.  This means websites, such as banking and email, can be spoofed without a warning from the browser.

Although Lenovo has stated they have discontinued the practice of pre-installing Superfish VisualDiscovery, the systems that came with the software already installed will continue to be vulnerable until corrective actions have been taken.

To detect a system with Superfish installed, look for a HTTP GET request to:


Where [ACTION] is at least 1, 2, or 3.  1 and then 2 are sent when a computer is turned on. 3 is sent when a computer is turned off.

Superfish uses a vulnerable SSL decryption library by Komodia. Other applications that use the library may be similarly affected. Please refer to CERT Vulnerability Note VU#529496 for more details and updates.


A machine with Superfish VisualDiscovery installed will be vulnerable to SSL spoofing attacks without a warning from the browser.


Uninstall Superfish VisualDiscovery and associated root CA certificate

Users should uninstall Superfish Visual Discovery. Lenovo has provided a tool to uninstall Superfish and remove all associated certificates.

It is also necessary to remove affected root CA certificates. Simply uninstalling the software does not remove the certificate. Microsoft provides guidance on deleting and managing certificates in the Windows certificate store. In the case of Superfish Visual Discovery, the offending trusted root certification authority certificate is issued to “Superfish, Inc.”

Are We Cyborgs?

Are we all turning into Cyborgs? That is the question that Amber Case discussed recently on TED. If you take the time to look around as you go through the day (any day it doesn’t matter) you surely can see this happening. It seems everyone has their attention on their smartphone, laptop or tablet, even while walking and driving. Our attention is drawn to these devices even while holding conversations with each other!

This is not surprising to Case and after you watch her 8 minute lecture on the topic you might agree that yes, we are indeed turning into cyborgs. Is this a good or bad thing that is happening to us? The conclusion is not as clear as you might think.