"But Superfish tells us it stands by Lenovo’s assessment. “Superfish is completely transparent in what our software does and at no time were consumers vulnerable—we stand by this today.” a company spokeswoman said. “Lenovo will be releasing a statement later today with all of the specifics that clarify that there has been no wrong doing on our end.”
Now that an official CERT announcement has been released:
" Finally, we are working directly with Superfish and with other industry partners to ensure we address any possible security issues now and in the future. "
" By the end of this month, we will announce a plan to help lead Lenovo and our industry forward with deeper knowledge, more understanding and even greater focus on issues surrounding adware, pre-installs and security. We are eager to be held accountable for our products, your experience and the results of this new effort"
"Vulnerabilities have been identified with the software, which include installation of a self-signed root certificate in the local trusted CA store. ... Superfish intercept HTTP(S) traffic using a self-signed root certificate. This is stored in the local certificate store and provides a security concern. "
Reminds me of story of "the ant letter". I'd describe it, but I'm interested to wait a bit to see if anyone else has heard/read it. Will describe it later if no one replies. I've not found via Google despite a search.
"But Superfish tells us it stands by Lenovo’s assessment. “Superfish is completely transparent in what our software does and at no time were consumers vulnerable—we stand by this today.” a company spokeswoman said. “Lenovo will be releasing a statement later today with all of the specifics that clarify that there has been no wrong doing on our end.”
Now that an official CERT announcement has been released:
https://www.us-cert.gov/ncas/alerts/TA15-051A
I think their misleading comments are going to come back and bite them more than they have already.
[EDIT - Looks like they are back peddling a little on: http://news.lenovo.com/article_display.cfm?article_id=1929
" Finally, we are working directly with Superfish and with other industry partners to ensure we address any possible security issues now and in the future. "
" By the end of this month, we will announce a plan to help lead Lenovo and our industry forward with deeper knowledge, more understanding and even greater focus on issues surrounding adware, pre-installs and security. We are eager to be held accountable for our products, your experience and the results of this new effort"
And on: http://support.lenovo.com/us/en/product_security/superfish
"Vulnerabilities have been identified with the software, which include installation of a self-signed root certificate in the local trusted CA store. ... Superfish intercept HTTP(S) traffic using a self-signed root certificate. This is stored in the local certificate store and provides a security concern. "
]