J030-Content-Stop-Gifting-Unwanted-Software_SQA few days ago, Yahoo! Tech reported that Lenovo has been selling laptops that come pre-installed with malware created by a company called Superfish, which is designed to inject advertisements in the web browser but also compromises the certificate-based security protocols that enable computers to detect imposter web sites and can make the computers vulnerable to HTTPS man-in-the-middle (MITM) attacks.  Lenovo’s customers are not happy, particularly since some experts are advising that they need to reinstall the operating system in order to be safe.

Here’s how it works: the Superfish software installs a root HTTPS certificate that is self-signed. A self-signed certificate is one that is signed by the same entity whose identity it is supposed to be verifying. This would be as if, instead of presenting you with a driver’s license or passport issued by an independent authoritative agency to prove that I am who I say I am, I signed a notarized statement vouching for myself. Self-signed certificates aren’t necessarily untrustworthy. In the certification authority hierarchy, each CA’s certificate is signed by one at a higher level. The very top level CA, then, has no other entity to sign its certificate and so must self-signed. These are referred to as root certificates.

In this case, however, the self-signed certificate installed by Superfish intercepts the encrypted traffic for web sites visited by the user and presents itself as the certificate for that web site. If a computer has the Superfish certificate installed, it won’t recognize fake web sites (for example, a phishing site that masquerades as the site of a legitimate bank) as imposters.

It gets worse. The encryption key for the Superfish certificate has been cracked and publicized on the web, so attackers can use that key to initiate man-in-the-middle attacks. This works despite security mechanisms such as certificate pinning, which is helpful in detecting and blocking some types of MITM attacks. If you have a Lenovo computer purchased since the middle of 2014, you should check for Superfish.

Although the company is front and center in the news right now in regard to the negative impact of pre-installed programs, Lenovo is hardly the only device vendor that takes it upon itself to “gift” its customers with software programs that they neither need nor want. This has been an ongoing problem for many years, ranging from “trial versions” of popular applications such as Microsoft Office or security software from Norton or McAfee to uninstallable and utterly useless phone apps such as VZ Navigator and NFL Mobile on Verizon smart phones.

Some of these are merely annoying in that they take up precious space on devices with limited storage space, while others pose a security risk, suck up bandwidth, reduce battery life, or even cut into mobile data allocations by accessing the network periodically even though you aren’t using them.  A plethora of unwanted programs, many of which run background processes, can also slow an otherwise adequately powerful system down to a crawl. There’s even a name for the phenomenon: bloatware.

Now and then, vendors break the mold and offer devices free of (most) pre-installed software, such as the Microsoft Signature series of PCs that the company launched in 2012.  However, not everyone was impressed with that effort. Particularly at issue was the $99 charge for “decrapifying” a PC bought with bloatware. Meanwhile, most computers are purchased through OEMs such as HP or Dell, and still come with their share of unwanted applications, as do smart phones purchased from the major wireless carriers.  If customers hate it so much, why does this practice continue, and is there a way to stop it?

The simple answer to the first question is: follow the money. Software vendors pay hardware vendors to include their products on the machines. Because many people take the route of least resistance, getting an application onto the computer means a substantial number of users will keep and use it and, in the case of trial versions, end up buying it.  Computer vendors say the practice helps to reduce the prices of the machines, so it comes down to whether the price reduction is worth the time spent “degunking” each new device.

Some customers, especially those who are less tech savvy, actually appreciate that the freebies come with the system; it means one less thing that they have to do in order to get the functionality of applications such as security software, power management programs and utilities. Even if it’s a trial that expires after a month or year, they’ve gotten the benefit of the programs for that period of time – and they didn’t have to make a decision (for example, about which anti-virus to get) and go through the installation process.

More experienced computer users, on the other hand, usually spend their first day or so with a brand new computer or smart phone going through and uninstalling most or all of the “added value” software – or at least trying to do so. The problem is that often uninstallation isn’t as simple and clear-cut as it should be. Remnants of the unwanted programs may remain the registry or other locations on the hard drive and in some cases may even cause conflicts with the software that you install.

Many pre-installed phone apps can only be “disabled,” not uninstalled, and thus still consume storage space.  On Android phones, apps installed on the system partition can’t be removed unless you have root permissions, whereas those installed on the data partition are removable by the user without rooting the device. In Android 5.0 (Lollipop), Google included a feature called “Play Auto Installs” that aims at making it easier for users to remove carrier-installed apps from their phones, but OEMs and carriers don’t have to use it.

When it comes to PC applications such as Superfish, you can uninstall it – but it’s also important in this case to remove the root certificate that creates the security issues. Microsoft has issued an update for Windows Defender that will get rid of the application and remove the certificate from Windows certificate manager, but as of this writing doesn’t remove it from the Firefox certificate manager. You can also manually delete Superfish’s root certificate using the process described in this article.

Bloatware is likely to continue to be a problem, unless and until customers put enough pressure on hardware vendors to convince them that it’s bad for business. Some have suggested that operating system vendors such as Microsoft and Google could prohibit hardware OEMs from installing bloatware as part of the licensing terms for the OS, but I don’t think that’s likely to happen. In the meantime, perhaps the most we can hope for is that unwanted apps will become easier to remove.

——-

If you have reason to believe that Superfish may be installed on machines across your network, you can scan your network with GFI LanGuard to detect the bloatware. Read more about GFI LanGuard here.