It emerged a few days ago that Lenovo had been shipping a number of consumer machines with pre-installed ad software that did an excellent job of circumventing SSL security, in addition to serving up ads no-one wanted. I won’t explain everything in full as The Reg have covered the story and its aftermath pretty well here.
As if that wasn’t enough it subsequently emerged that not only did the Superfish software allow man-in-the-middle attacks, but it also validated invalid SSL certificates that would normally be detected as such and blocked (full write-up: https://blog.filippo.io/komodia-superfish-ssl-validation-is-broken/). Nice one Superfish!!
Finally Lenovo have bowed to pressure [and the inevitable hit they could see their bottom line was going to take? – Ed] and released a removal tool.
We’d encourage any readers who have a Lenovo machine to run the software as a matter of urgency to see if they are vulnerable. From reports it’s only the Lenovo consumer machines that are affected but it pays to be on the safe side and run this on ANY Lenovo machine.