Lenovo lists computer models that may include third party software linked to vulnerability
25 February 2015
UPDATE: Lenovo has listed the model numbers of its computers that are likely to include pre-installed third-party software linked to a vulnerability. Attackers can potentially exploit this vulnerability to read encrypted traffic and install malware. The third party software product was pre-installed on some Lenovo computers running Windows.
The computer maker has also released an automated tool to enable users to address the vulnerability by removing the third-party software product and its associated security certificate. The tool is available as an executable program for users to download and run. Lenovo has also advised how the software product can be removed manually.
The model numbers that may feature the third-party software product are:
You can test your Lenovo computer for this vulnerability by trying to access the Can I Be Super Phished website from your computer. This site has been set up to test for the vulnerability and is safe to access. It also contains additional information on addressing the vulnerability. Visiting this site should prompt a security warning from your browserwhen you follow the link.
If you do receive a warning indicating the site is untrusted, this indicates your computer does not have the vulnerability. If you can access the site without observing any security notification, it is likely your computer has the vulnerability and you should take steps to remove it.
You should undertake this test using Internet Explorer or Google Chrome browsers. Firefox may not provide a clear result.
All Lenovo users should check
We advise any user of Lenovo laptops or computers to check to see if their computer is vulnerable. The vulnerability is caused by software installed by Lenovo that was designed to inject advertisements into websites you visit. In order to include encrypted websites, a security certificate was pre-installed onto the computer.
Security certificates tell your computer which websites and software can be trusted. They are important to your online security, including for establishing secure connections to encrypted websites. (Trusted, encrypted websites commonly display a padlock in thebrowser address bar.)
Security certificates have two components, a public key and a private key. As their names imply, the public key can be known by everybody, while the private key needs to be kept secret (in this case, only Lenovo should have access to the private key).
This vulnerability arises because the private key was included on affected Lenovo laptops, stored within the pre-installed advertising program.
Details of the private key are easily accessible online, so can be used by anyone to forge fake security certificates, impersonate the advertising program and carry out a range of possible attacks.
These attacks may include accessing or spying on encrypted traffic between your computer and secure websites, as well as ‘signing’ malware with these certificates, meaning your computer will trust this malware as though it was legitimate and safe software.
The information provided here is of a general nature. Everyone's circumstances are different. If you require specific advice you should contact your local technical support provider.
Thank you to those subscribers who have provided feedback to our Alerts and Newsletters. We are very interested in your feedback and where possible take on board your suggestions or requests.
This information has been prepared by Enex TestLab for the Department of Communications ('the Department'). It was accurate and up to date at the time of publishing.
This information is general information only and is intended for use by private individuals and small to medium sized businesses. If you are concerned about a specific cyber security issue you should seek professional advice.
The Commonwealth, Enex TestLab, and all other persons associated with this advisory accept no liability for any damage, loss or expense incurred as a result of the provision of this information, whether by way of negligence or otherwise.
Nothing in this information (including the listing of a person or organisation or links to other web sites) should be taken as an endorsement of a particular product or service.
Please note that third party views or recommendations included in this information do not reflect the views of the Commonwealth, or indicate its commitment to a particular course of action. The Commonwealth also cannot verify the accuracy of any third party material included in this information.