After news broke this week that Lenovo was putting dangerous adware on its computers, the company responded by removing the offending software from new machines and disabling it on the computers it had already shipped with. The company also insisted that the adware posed no security risks to any of its customers, a statement that was met with incredulity by security experts. However, the company has now admitted that installing Superfish onto its computers opened up big security holes that it’s now scrambling to fix.
In an interview with Re/code, Lenovo CTO Peter Hortensius admitted that Lenovo should have known that Superfish left users vulnerable to man-in-the-middle attacks in which hackers could steal sensitive information such as online banking credentials.
“We should have known that going in that that was the case,” Hortensius said. “We just flat-out missed it on this one, and did not appreciate the problem it was going to create… we are taking our beating like we deserve on this issue.”
Hortensius also said that Lenovo is not “curled up in a ball” and is actively looking for ways to make things right with its customers. That said, the damage to Lenovo’s reputation has already been done and it’s very hard to see any amount of groveling undoing it.
Just the fact that Hortensius says he and his team didn’t anticipate these issues coming up is bad in and of itself, since Superfish was written specifically to create a self-generated root certificate that can install itself in both Windows and assorted web browsers to hijack HTTPS traffic. If they didn’t see something like this causing problems, what else are they overlooking?