Lenovo has stopped shipping hardware installed the controversial Superfish Visual Discovery, software deemed spyware by consumers, but the Chinese computer manufacturer is now facing a class action lawsuit regarding the matter.
The case, Bennett v. Lenovo (United States), Inc. et al, is being considered in federal court by California's Southern District Court circuit. The plaintiff, Jessica N. Bennett, alleges Lenovo preinstalled Superfish Visual Discovery on its computers.
The installation of Superfish's software brought down the performance of computers on which it was installed, it increased data usage, it generated popups, injected ads into web searches and tracked the browsing habits of unwitting consumers, the lawsuit alleges.
Lenovo says it deployed Superfish in an effort to improve the shopping experience of customers, using the software's visual discovery algorithms. It abandoned the software once customers began to complain about it, Lenovo said.
"We acted swiftly and decisively once these concerns began to be raised," Lenovo says. "We apologize for causing any concern to any users for any reason -- and we are always trying to learn from experience and improve what we do and how we do it."
Along with the reports of Superfish's tracking and ad-injection habits, there are users that claim the software was capable of perpetrating man-in-the-middle (MitM) attacks. Lenovo has since confirmed that Superfish is capable of launching MitM attacks and siphoning sensitive data from an otherwise secure connection, doing so by giving itself the credentials necessary to sit in on secure sessions.
"Vulnerabilities have been identified with the software, which include installation of a self-signed root certificate in the local trusted CA store," stated Lenovo. "The application can be uninstalled; however, the current uninstaller does not remove the Superfish root certificate."
Currently, users can only get rid of Superfish's certificates by going through the process of certificate revocation of installing a fresh copy of Windows on their devices.
Lenovo says it stopped preinstalling Superfish on its machines in January 2015, and disabled the server connection to the software. The world's biggest PC maker said it has been providing tools to help customers clean computers of what a Lenovo representative called a potentially unwanted program (PUP) in a forum post.
The Chinese hardware manufacturer says Lenovo notebook products, shipped between September 2014 and February 2015, were affected by Superfish. It says it didn't preload the software onto its ThinkPad, ThinkCentre, Lenovo Desktop, ThinkStation, ThinkServer and System x products.
For those unsure if Superfish is installed on their computers, Lenovo says the software may have been preloaded on each of the following products:
G Series: G410, G510, G710, G40-70, G50-70, G40-30, G50-30, G40-45, G50-45, G40-80
U Series: U330P, U430P, U330Touch, U430Touch, U530Touch
Y Series: Y430P, Y40-70, Y50-70, Y40-80, Y70-70
Z Series: Z40-75, Z50-75, Z40-70, Z50-70, Z70-80
S Series: S310, S410, S40-70, S415, S415Touch, S435, S20-30, S20-30Touch
Flex Series: Flex2 14D, Flex2 15D, Flex2 14, Flex2 15, Flex2 Pro, Flex 10
MIIX Series: MIIX2-8, MIIX2-10, MIIX2-11, MIIX 3 1030
YOGA Series: YOGA2Pro-13, YOGA2-13, YOGA2-11, YOGA3 Pro
E Series: E10-30
