Lenovo announced on February 20, 2015 that it has released a fix for the serious vulnerability introduced by pre-installed Superfish software. Lenovo laptop users who bought units shipped between September 2014 and February 2015 should check for the presence of Superfish adware and ensure that they follow the uninstall instructions on http://support.lenovo.com/us/en/product_security/superfish_uninstall.
The affected laptops are E10-30, Flex2 14, Flex2 15, Flex2 14D, Flex2 15D, Flex2 14 (BTM), Flex2 15 (BTM), Flex 10, G410, G510, G40-70, G40-30, G40-45, G50-70, G50-30, G50-45, Miix2 – 8, Miix2 – 10, Miix2 – 11, S310, S410, S415; S415 Touch, S20-30, S20-30 Touch, S40-70, U330P, U430P, U330Touch, U430Touch, U540Touch, Y430P, Y40-70, Y50-70, Yoga2-11BTM, Yoga2-11HSW, Yoga2-13, Yoga2Pro-13, Z40-70, Z40-75, Z50-70 and Z50-75.
The Superfish adware included a self-signed or locally signed certificate which defeats the purpose of HTTPS encryption. The vulnerability allows malicious users to perform a “man-in-the-middle” attack wherein the SSL encryption is effectively defeated and supposedly secure data can be captured unencrypted.
Lenovo has been heavily criticized for pre-installing an adware software product which is considered by many users as obtrusive. It was supposed to “enhance the users’s shopping experience”. However, aside from being obtrusive, it also introduced a serious vulnerability.
Source: http://support.lenovo.com/us/en/product_security/superfish