Mike Masnick writes:
Wednesday night, the security world blew up with the news (which had actually been out there for a while), that the adware/malware Superfish that Lenovo had been installing by default on many laptops included a massive and dangerous security vulnerability by installing its own, self-signed root HTTPS certificate, and then basically mounting a man in the middle attack on every single HTTPS connection — and doing so with an easily hacked certificate, creating a giant vulnerability for anyone owning one of those laptops. We were shocked at the tone-deafness of Lenovo’s initial response, which didn’t even name which laptops Superfish was installed on, and made this blatantly bullshit statement:
We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns.However, within hours, Lenovo had quietly updated its statement to remove that line. The company is now also (finally) admitting which laptops were infected and put together a page about how to remove the software and the rogue certificate. That’s better, but Lenovo should at least apologize, which it has not done, and admit that it was completely full of shit in insisting that there was no security concern.
Read more on TechDirt.