Lenovo Says It "Messed up Badly," To Release Clean-up Tool For Superfish

Lenovo has admitted that it "messed up badly" by pre-loading software on some consumers laptops, leaving them vulnerable to attacks. The company added that it will soon release the removal tool.

"I have a bunch of very embarrassed engineers on my staff right now," Lenovo CTO Peter Hortensius said in an interview Thursday. "They missed this."

The tool, called Superfish, injected product recommendation into search results but recently it was discovered that it also opened a serious security hole.

The program interferes with SSL-encrypted Web traffic by installing its own root certificate in the trusted certificate store used by browsers. It then uses it to generate SSL certificates for HTTPS-enabled websites when they are visited by users. This allows it to act as a man-in-the-middle proxy between users and those secure websites, PCWorld reported.

According to several security experts, the certificate's private key can be recovered by reverse-engineering the software, enabling malicious hackers to launch man-in-the-middle attacks when users connect to public Wi-Fi hotspots or compromised networks.

Lenovo has already published instructions for how users can remove Superfish and a cleanup tool is launching soon that will uninstall the program and delete the root certificate it created.

According to Lenovo, the Superfish software was only installed on some consumer laptops sold through retail stores. A complete list of affected models can be found here.