**Lenovo PCs ship with man-in-the-middle adware that breaks HTTPS connections **
Lenovo is selling computers that come preinstalled with adware that hijacks encrypted Web sessions and may make users vulnerable to HTTPS man-in-the-middle attacks that are trivial for attackers to carry out, security researchers said. The critical threat is present on Lenovo PCs that have adware from a company called Superfish installed. As unsavory as many people find software that injects ads into Web pages, there’s something much more nefarious about the Superfish package.
It installs a self-signed root HTTPS certificate that can intercept encrypted traffic for every website a user visits. When a user visits an HTTPS site, the site certificate is signed and controlled by Superfish and falsely represents itself as the official website certificate.
**Even worse, the private encryption key accompanying the Superfish-signed Transport Layer Security certificate appears to be the same for every Lenovo machine. **Attackers may be able to use the key to certify imposter HTTPS websites that masquerade as Bank of America, Google, or any other secure destination on the Internet. Under such a scenario, PCs that have the Superfish root certificate installed will fail to flag the sites as forgeries—a failure that completely undermines the reason HTTPS protections exist in the first place.
[Update: Rob Graham, CEO of security firm Errata Security, has cracked the cryptographic key encrypting the Superfish certificate. That means anyone can now use the private key to launch man-in-the-middle HTTPS attacks that won’t be detected by machines that have the certificate installed. It took Graham just three hours to figure out that the password was “komodia” (minus the quotes). He told Ars the certificate works against Google even when an end-user is using Chrome. That confirms earlier statements that certificate pinning in the browser is not a defense against this attack (more about that below).
Source: Arstechnica
Whilst I know this isn’t strictly Linux related as its a pre-loaded Windows system, I would advice anyone to never buy anything from Lenovo again and if they have friends / relatives with said brand using Windows to check if this application is installed on their systems as it is EXTREMELY dangerous as the cryptographic key has been compromised and it essentially allows anyone to intercept and decrypt https communication from said systems.
Simply removing the application is not enough as the key is still in the certificates, this needs to removed separately!