It seems like all the big vulnerabilities need to have snappy titles these days, and a recently discovered threat titled Superfish is no exception. This little bugger poses a serious risk to your security and privacy, so lets talk a little bit about it – and more importantly, how to get rid of it.
Superfish is super snoopy and super bad
A few weeks ago, I opened up my Twitter feed to find it exploding with information about a vulnerability dubbed Superfish that was preinstalled on some Lenovo machines without users being aware of it. The Superfish risk itself gets kind of propeller-hat nerdy, and since I’m a visual person, the best way I can describe it is with some horribly illustrated cartoons. Please bear with me, ok? First, here’s an example of what happens when your computer normally wants to visit a secure Web site like wellsfargo.com:
This illustration touches on an important concept of certificates. Basically, wellsfargo.com presents your machine with a certificate proving its identity. Your machine checks that against an installed list of known “good” certificates, and then makes a decision on whether or not to trust it (there’s much more to it than this, but I’m trying to cover this at a high level). Here’s a screenshot of what that certificate list looks like on a machine without Superfish installed:
Now lets take a look at the same wellsfargo.com communication again, this time being initiated when a user’s machine has Superfish installed:
In this example, the user’s machine is letting Superfish be a “man in the middle” and handle the connection between the PC and the wellsfargo.com site. Why? Because Superfish is installed as a trusted certificate, which basically means your Web browser will happily trust it as a “middle man” and not throw any red flags at you. Here’s what the certificate list looks like on a machine where Superfish is present:
In short, Superfish:
- Might be preinstalled on your machine without your knowledge
- Snoops on connections you presume are secure
- Serves you ads
But wait – Lenovo thinks you wanted Superfish?
According to Lenovo’s initial statement, the company claims Superfish’s goal was to “improve the shopping experience using…visual discovery techniques.” In other words, they thought you as a consumer would enjoy Superfish snooping on your encrypted traffic in order to present you with targeted advertisements.
That violation of privacy alone is enough to get concerned about, but the security implications are even more devastating. For example, shortly after the Superfish discovery, someone figured out how to extract the Superfish certificate and then use it on public wifi to trick users into visiting bankofamerica.com while stealing their credentials. Read the article links for more details, but the big takeway is that if Superfish was installed on your machine, you would have no idea if you fell into such a trap! Your Web browser would confidently display https://www.bankofamerica.com in the address bar, but unbeknownst to you, Superfish would be working behind the scenes, peeking at your usernames, passwords, banking details and any other sensitive data in order to “improve the shopping experience.”
How to unhook Superfish from your machine
I know the previous section got pretty technical, so if you are scratching your head, just know that Superfish is very, very, very bad and you want it get it off your machine right now. Lenovo published a list of affected models, but I’m simply recommending that people go to https://filippo.io/Badfish/, which will test your machine for the presence of Superfish – and a few other known ugly things – and help you get rid of them. Also, Microsoft’s Windows Defender and other leading antivirus companies are now identifying Superfish as a virus or malware, and will nuke it automatically for you.
However, if you tested positive for Superfish, simply removing it isn’t enough. I agree with this article, which states that as a Superfish victim, you should really wipe your machine and reinstall factory Windows (not the Lenovo system recovery reinstall) as well as change any passwords you have used on that machine. I know, that is a colossal pain. But it is the best way to get some peace of mind that the damage from Superfish’s bite is as contained as possible.
If you got hooked by Superfish, you need to move forward with removal and remediation steps as soon as possible. If you have questions, I would welcome the chance to talk with you. I can be reached at 952-467-6385 or at [email protected]