It doesn’t get much better than this. The United States Computer Emergency Response Team (US-CERT), sponsored by the U.S Department of Homeland Security, issued an alert yesterday warning about Lenovo’s Superfish spyware, among other things reporting that the privacy evading service has been shipping since at least 2010, apparently contradicting Lenovo’s assertion that they began the practice in September, 2014.
TA15-015A begins with the words:
Starting in September 2014, Lenovo pre-installed Superfish VisualDiscovery spyware on some of their PCs. However, Superfish was reportedly bundled with other applications as early as 2010.
The US-CERT alert clearly explains the nature of the threat Superfish poses, and provides guidance on remediation that users should follow immediately. No mention is made about waiting for the promised patch from Lenovo, probably due to the clear and present danger posed by the software as a zero-day exploit (or more acurately, a minus 4-year exploit, given how long it has resided on many machines and how easy it is for 3rd parties to exploit).
Sadly, NPR as still failed to report on the Superfish scandal, as have most other major media outlets in the U.S. This causes one to wonder if Lenovo has either made lots of friends in the U.S. press over the years, or if the press is instead so tragically ignorant of technology that they can’t understand the seriousness of the situation. As a monthly NPR contributor I’m actually afraid to look at whether Lenovo is also a donor, as that might cause me to reconsider my support.