| | | Lenovo Releases Superfish Removal Tool
By Paul Wagenseil
February 21, 2015 9:38 AM - Source: Tom's Guide US | B 1 comment
Chinese PC maker Lenovo late yesterday (Feb. 20) released a removal tool for the dangerous Superfish adware that Lenovo had pre-installed on many of its consumer laptops. Hours later, a security researcher demonstrated how easily the adware could be used to hack into online financial transactions.
The Lenovo Superfish removal tool can be found at support.lenovo.com. It must be downloaded first, but will run without installation. Lenovo has released the tool under a public license and placed the source code on the developer website Github so that security experts can analyze and possibly improve on it.
(If you have a Lenovo laptop, you can check whether it is affected by using each installed Web browser to visit filippo.io
MORE: Lenovo's Security-Killing Adware: How to Get Rid of It
Early today (Feb. 21), Robert Graham, CEO of Atlanta-based Errata Security, posted detailed instructions on his blog on how to create a malicious Wi-Fi hotspot to exploit the security vulnerability that the Superfish adware creates on Lenovo laptops.
"This example proves that this exploit is practical, not merely theoretical, as claimed by the Lenovo CTO," Graham wrote.
Graham used a Raspberry Pi 2, which is a minicomputer that costs about $35, a $10 Wi-Fi adapter and a microSD card, which can be had for as little as $4. The software was all freely downloaded from the Internet, and it took Graham about 3 hours to build the device and get it running.
To demonstrate the flaw, he used a laptop on which the Superfish adware had been installed to connect to the Internet using his malicious hotspot. He tried to log into the Bank of America website using a fictitious name, and showed that the hotspot intercepted the connection and logged the fictitious name. It would also have logged the password, had there been one.
more at the link:
tomsguide.com |
|
