Lenovo swears the issue is only theoretical...
...but their own security issued an advisory rating it highly severe:
http://www.zdnet.com/article/lenovo-...tag=TRE17cfd61
Quote:
The company dismissed security concerns that Superfish was able to hijack SSL/TLS connections via a self-signing root certificate authority that had the same private key on each and every Lenovo device upon which Superfish was installed.
"We have thoroughly investigated this technology, and do not find any evidence to substantiate security concerns," Lenovo's statement said.
"We know that users reacted to this issue with concern, and so we have taken direct action to stop shipping any products with this software. We will continue to review what we do and how we do it in order to ensure we put our user needs, experience, and priorities first."
However, a security advisory published by Lenovo rated the incident as highly severe.
"Superfish intercept HTTP(S) traffic using a self-signed root certificate. This is stored in the local certificate store and provides a security concern," the advisory said.
|