SUPERFISH... WHAT IS IT, WHY YOU SHOULD CARE.


There's bad and there's bad. This is terrible. Lenovo has put millions of users in extreme security vulnerability. It's one of the worst examples of manufacturer hubris I can remember . To put their users in such a situation purposefully is almost beyond belief.

The gist of the situation is this: Lenovo has been shipping laptops with adware called "Superfish". The software installs a Self-Signed Root Certificate that can be used to hijack users encrypted traffic. So, if you go to your banks web site it inserts itself and presents as that sites valid certificate issuer. 

Even worse, the private encryption key accompanying the Superfish-signed Transport Layer Security certificate appears to be the same for every Lenovo machine. Attackers may be able to use the key to certify imposter HTTPS websites that masquerade as Bank of America, Google, or any other secure destination on the Internet. - ARS TECHNICA

Further more, any attacker that has the certificate (anyone with access to a Lenovo laptop from the last 9 months would have it) can view that same encrypted traffic at a public hotspot where there are sure to be any number Lenovo laptops in use.

If you are a school, or a business using Lenovo laptops you may want to consider uninstalling Superfish at the very least, and formatting and installing Windows fresh at the most. The Ars Technica article linked to below has a good overview of the situation.