Lenovo hit with lawsuit over Superfish “spyware”

23 Feb 2015

A proposed class-action suit was filed late last week against Lenovo and Superfish, which charged both companies with ''fraudulent'' business practices and leaving Lenovo PCs vulnerable to malware and malicious attacks by pre-loading the Superfish adware, PC World reported.

According to plaintiff Jessica Bennett, her laoptop was damaged due to Superfish, which was called ''spyware'' in court documents. The companies were also accused of invading her privacy and making money by studying her internet browsing habits.

The filing came after Lenovo, the world's biggest PC maker, admitted to pre-loading Superfish on some consumer PCs (See: Lenovo Group apologises to customers over Superfish software).

Laptops affected by Superfish include non-ThinkPad models such as G Series, U Series, Y Series, Z Series, S Series, Flex, Miix, Yoga and E Series.

Lenovo had since released fixes to remove Superfish applications and certificates from PCs. Microsoft's Windows Defender and McAfee's security applications also remove Superfish since Friday.

Lenovo admitted to messing up by preloading Superfish on computers. The software plugged product recommendations into search results, but could hijack connections and open major security holes, thus leaving computers vulnerable to malicious attacks, according to security experts.

Meanwhile, in the face of a face of the media flak that could badly hurt any startup's future, Superfish CEO Adi Pinhas blamed another company for the security flaw and complained about what he called "false and misleading statements made by some media commentators and bloggers,'' CBS/AP reported.

Researchers had revealed on Thursday that some laptops sold by Lenovo contained a security flaw that could allow hackers to impersonate shopping, banking and other websites and steal users' credit card numbers and other personal data.

Lenovo had however apologised for pre-loading the computers with Superfish's visual search software, that captured images viewed online, such as a sofa or pair of shoes, and then showed them ads for similar products.

According to commentators, the image recognition algorithm, by itself, might not be a security risk. However, the problem had come to the fore as Superfish used software from another company that could eavesdrop when internet users visited secure or encrypted websites.

Lenovo did not put a figure to the number of owned laptops infected with the software. According to CNET, the company sold 16 million Windows computers in the fourth quarter of 2014 according to industry analyst IDC.

According to some experts, the problem might not be limited to Lenovo and the Komodia tool Lenovo had identified could imperil any company or program using the same code. It was not only Superfish, other companies might  be vulnerable, according to Robert Graham, CEO of Errata Security.