What is the fuss about Superfish?



18th March 2015

SuperFish

The recent discovery of SuperFish and its massive security flaw has sparked a massive wave of controversy towards tech giant Lenovo, and sent the media into a meltdown over the last few weeks. It has been called adware, spyware, malware and everything in between by news companies. We have even had reports of anti-virus software such as AVG popping up and asking its customers if they are aware of it. We decided it was time for a blog post to answer some key questions and provide clarity amongst all of the panic!

Who and what is a Superfish?

Born in the oceans of Krypton, equipped with scales of steel and super-speed it has been suggested the SuperFish is the saviour of Planet Earths' oceans… If only that were the reality. The true reality is that SuperFish is in fact a company who specialises in digital advertising. What they have created is a piece of self-titled adware (software that creates adverts) that sounds fairly harmless. It's designed to track what you look at online and then place targeted adverts for things that it thinks you may be interested in. An example of this may be that you have decided to look at furniture in one of the many never ending sales that certain furniture retailers have, Superfish visually tracks the items you have looked at and then on the same page will suggest alternatives. In theory it actually sounds helpful, until you start to look into the way it operates.

What's the problem then?

To really understand the problem with SuperFish you need to know how secure connections are made between websites such as online banking log in pages and your internet browser. The basic gist of it is that secure webpages send your browser a digital certificate that acts a bit like the fingerprint of the person who has made it. Your browser checks this certificate before starting a secure, encrypted, connection with the website (you can tell when this process has happened – the padlock that appears in your address bar is the symbol of a secure connection). The problem is that SuperFish hijacks this process and places its' own certificate in the process so that it can track all communication between websites and your browser, even when you use a private session in a browser. It gets worse - another problem is that the password for the certificate that SuperFish superimposes is the word 'Komodia' meaning that a hacker could theoretically intercept the now-not-so secure communication process between a website such as an online bank and your internet browser.

Who does it affect?

This is where it gets ambiguous, nobody really knows the exact numbers apart from SuperFish and Lenovo. Lenovo, the popular IT manufacturer, had been preinstalling Superfish on certain models of its consumer grade laptops sold between in a certain time frame. Here's what their Support page had to say on the topic: "SuperFish was previously included on some consumer notebook products shipped between September 2014 and February 2015 to assist customers with discovering products similar to what they are viewing. However, user feedback was not positive, and we responded quickly and decisively"

So it's fairly safe to say that a lot of the hysteria in the media is actually a bit over the top as not that many people will actually be affected. Looking at the list of Lenovo's affected notebooks on their support page. It's easy to see that the list is not huge especially in comparison to the amount of product lines Lenovo sold during that time frame. The majority of Lenovo's lines fall in the bracket of being 'Business Grade' and not 'Consumer' which is great news for our customers, who are incredibly unlikely to be using a consumer grade piece of equipment. We have even had reports that not every single PC listed on the support page shipped with SuperFish installed!

However it is worth mentioning that SuperFish is software that PC users, no matter who has manufactured their PC, may have installed this pesky piece of adware accidentally when downloading other software. In the same way that when you download Adobe Reader, Adobe sneakily tries to bundle in Google Chrome, SuperFish has also been included into various software downloads so there's a slim chance it may catch some people unaware. This may explain why anti-virus software such as AVG is popping up with SuperFish related messages and scaring a fair share of its users.

Fortunately it's actually really quick and easy to check to see if your devices have been affected by this menace – if you open the 'Control Panel' on your Windows computers and navigate to the 'Programs and Features' section you'll see a fairly long list of all of the applications installed on your device. If SuperFish it's not in the list it's fairly safe to assume that you are not affected although to be on the safe side our engineers recommend paying a visit to the Vulnerability Test Page that has been made by the same team of people who made a similar test page for the Heartbleed security flaw which you can read all about here.

I've caught a SuperFish - what do I do?

The great news is that you don't need a bullet made of Kryptonite to zap SuperFish as Lenovo have made a handy tool that will do a lot of the work for you (available to download here) however what we really recommend if you are worried that your security is being compromised by SuperFish is to get in contact with our team of dedicated Technical Engineers. Especially if you are on our customers who has a Pre-Paid or Committed IT support package from us!

 

<< Back to the Blog

<<
 

IT Survey & Challenge Quiz!IT Survey & Challenge Quiz!

Are you getting the best out of your IT?

Take the Quiz

Popular VPWSYS Services:

Backup Services - From just £8.00 a month, affordable protection against loss of data
Domain Names - We provide Domain Name services from just £9.37 + VAT
Pre-Paid Support - On the phone and in person, and you're only charged for the time you use.