After discovery of a severe security hole caused by pre-installed Superfish adware software on select Lenovo notebook, 2-in-1, and tablet PCs with Windows OS, the computer maker has released instructions and a tool for removal of the malicious program, as well as a list of affected computer models.
“Vulnerabilities have been identified with the software, which include installation of a self-signed root certificate in the local trusted CA store. The application can be uninstalled; however, the current uninstaller does not remove the Superfish root certificate,” Lenovo published.
Affected Lenovo laptops include select consumer-class E, Flex, G, Mixx, S, U, Y, Yoga, and Z series models, shipped “between September 2014 and February 2015”. The business-oriented ThinkPad series notebooks and tablets aren’t affected by the issue.
Here’s a complete list of models with pre-loaded Superfish.
- E-Series: E10-30
- Flex-Series: Flex 2 14, Flex 2 15, Flex 2 14D, Flex 2 15D, Flex 2 14 (BTM), Flex 2 15 (BTM), Flex 10
- G-Series: G410, G510, G40-70, G40-30, G40-45, G50-70, G50-30, G50-45
- Miix Series: Miix 2 8, Miix 2 10, Miix 2 11
- S-Series: S310, S410, S415; S415 Touch, S20-30, S20-30 Touch, S40-70
- U-Series: U330P, U430P, U330 Touch, U430 Touch, U540 Touch
- Y-Series: Y430P, Y40-70, Y50-70
- Yoga-Series: Yoga 2 11 BTM, Yoga 2 11 HSW, Yoga 2 13, Yoga 2 Pro 13
- Z-Series: Z40-70, Z40-75, Z50-70, Z50-75
An urgent removal of Superfish software and its root certificate is highly recommended, since they can serve for very serious exploits, like enabling attackers to retrieve users’ email addresses, credit card numbers, and other personal data.