Lenovo, FTC to Settle Superfish Adware Complaint

Superfish Used a Self-Signed Root Certificate to Inspect All Traffic
Lenovo will pay $3.5 million to the U.S. Federal Trade Commission and 32 states to settle a case brought against it over advertising software with serious security issues that was preinstalled on thousands of the company’s laptops.

Lenovo will pay $3.5 million to the U.S. Federal Trade Commission and 32 states to settle a case brought against it over advertising software with serious security issues that was preinstalled on thousands of the company’s laptops.

The VisualDiscovery software, made by a company called Superfish, monitored a user’s internet browsing and injected pop-up ads for products from vendors with which Superfish had a business relationship.

VisualDiscovery used an invasive way to view internet traffic. It terminated encrypted connections with a website and reinitiated its own connection, allowing it to monitor traffic that had been protected by SSL/TLS.

It further raised alarm after security experts found that the way the system had been implemented had other security flaws. The software shipped on a wide variety of Lenovo laptops between August 2014 and February 2015.

The FTC alleged Lenovo violated the Federal Trade Commission Act, which addresses unfair or deceptive trade practices. In a statement on its website, Lenovo says that “while Lenovo disagrees with allegations contained in these complaints, we are pleased to bring this matter to a close after 2-1/2 years.”

In addition to the penalty, which was described by New Jersey’s Attorney General Office, Lenovo has had other restrictions placed on it.

Lenovo will be required to get consent before preinstalling advertising software and can’t misrepresent software features. It also must develop a security program, which will run for 20 years, that will review preloaded software installed on laptops.

The settlement is tentative. The FTC will accept public comments on it through Oct. 5, after which the commission will decide whether to issue a final order.

Continue reading…

Source: Bank Info Security