Are You at Risk from Superfish? Check Now.

By February 19, 2015 Security News 16 Comments
LastPass Now Checks If You're Affected by the Superfish Vulnerability

News broke on Wednesday, February 18th that Lenovo devices had shipped with adware that may compromise secure connections to websites and leave sensitive consumer information exposed.

Use our tool now: www.LastPass.com/superfish to check if you were affected by the Superfish vulnerability.

What is the Superfish vulnerability?

A software known as Superfish Visual Discovery was pre-installed on Lenovo products over the last two years. The Superfish software pushes ads in Google search results and websites that “help users find and discover products visually”.

However, it was discovered that the Superfish software was installing its own self-signed Root Certificate Authority so that the Superfish software always appears as a trusted party. The Superfish software would have the ability to then intercept supposedly-secure communications to websites via a man-in-the-middle attack. Researchers also confirmed that hackers on the same network, like an open WiFi hotspot at a coffee shop, can exploit Superfish to steal things like your banking login details or to read your emails.

How does this affect LastPass?

LastPass uses SSL as an extra layer of protection, in addition to other encryption layers. If you logged in via the LastPass extension, there is no additional risk from a local man-in-the-middle attack. If you logged in via the LastPass.com website, the risk is slightly greater, but we have no cause to believe LastPass users are at risk. We have no indication this vulnerability has been targeted to LastPass users, and the original goal of this malware was to serve advertisements.

Take action now to protect yourself from Superfish.

The good news is that Lenovo has stopped pre-loading Superfish as of January 2015. The bad news is that millions of Lenovo laptops were shipped with Superfish running on them (we don’t have a list of affected devices at this time). Superfish appears to impact Internet Explorer and Chrome on those Lenovo computers.

Our Superfish checker: https://lastpass.com/superfish/ will verify if Superfish is running on your machine and tell you whether or not your system is at risk.

If you’re affected by Superfish, you must first remove the Superfish program:

  • Click the Windows Start button
  • Search uninstall program
  • Launch uninstall program
  • Right-click on Superfish Inc VisualDiscovery and select Uninstall
  • If prompted for administrator password, enter or provide confirmation

Then you must uninstall the Superfish certificates as well:

  • Click the Windows Start button
  • Type certmgr.msc into the Search box
  • Click the certmgr.msc Program to launch it
  • If prompted for administrator password, enter the password or provide confirmation
  • Click on Trusted Root Certification Authorities
  • Open Certificates
  • Look for certificates mentioning Superfish Inc
  • Right-click on any Superfish Inc certificates and delete
  • Restart your browser

Once your system is clean:

  • Download LastPass to start managing your passwords: www.LastPass.com
  • Run the Security Check (from the Tools menu in your LastPass browser extension).
  • Use Auto-Password Change to instantly update weak or duplicate passwords.
  • Update other weak and duplicate passwords with the LastPass password generator.
  • Update passwords for critical websites like email, banking, and social networks.

We also continue to update our LastPass Security Check tool to provide you with the latest information regarding vulnerabilities and your web accounts that are at-risk. We will continue to monitor the situation and update our community.

16 Comments

  • Roland says:

    The current Maxthon browser (v4.4.3.4000) on both XP and W7, fails this test (and the one at filippo.io/Badfish/ referenced by the Independent [a major UK newspaper].
    IE and Chrome on both systems pass both tests.
    Additionally, I can manually find no trace of Superfish on either system and neither does the Lenovo automatic removal tool [http://support.lenovo.com/us/en/product_security/superfish_uninstall ].

    So it would seem that Maxthon are implementing something similar to Superfish…

    • Joe Siegrist says:

      It looks like they’re simply not blocking bad content from bogus SSL certificates at all which is really bad — they do show that they know the cert is invalid if you go to https://superfish.xmarks.com/infected.png so this looks like a poor “design decision.” I’d recommend submitting a bug report with them, it’s clearly the wrong behavior.

  • Roland says:

    Delete certificate? Surely the more secure option will be to disable them and hence have Windows treat them as untrusted?

    • Joe Siegrist says:

      Hopefully you’re not reinstalling Superfish after removing it right? Should be equivalent.

      • Roland says:

        It was the potential for unwitting reinstall that I was thinking about. I was trying to balance whether having Windows warn that the Superfish certificate was untrusted would give a typical user a reminder or greater cause to think about the applet they are installing, over and about Windows simply warning that the applet was wanting to install a new CA certificate.

        Obviously, the next question is going to be whether MS will include the Superfish certificate in it’s next update of root certificates.

  • Chris Price says:

    I had to clear the cache in Chrome before the site would indicate that my system was secure.