Lenovo CTO promises firm will never install Superfish adware on laptops again

Lenovo apologises again for dangerous adware

Lenovo's chief technology officer has promised that the company will never load the Superfish adware on any of its devices again and is working to remove other third-party 'bloatware' from its machines.

Lenovo has been on the back foot since news broke last week that it had put user privacy at risk owing to an adware program called Superfish that was pre-loaded onto machines before shipping.

This led to a customer and security community backlash which has forced Lenovo to work with security vendors such as McAfee to remove the tool from machines.

Lenovo CTO Peter Hortensius has now promised that Lenovo will never ship Superfish again preloaded, and that it is working with partners and experts to reduce the inclusion of other 'bloatware' in its laptops.

"We stopped the preloads and will not include this Superfish software in any devices in the future," he wrote.

"We are in the midst of developing a concrete plan to address software vulnerabilities and security with defined actions that we will share by the end of the week."

He said this will include "creating a cleaner PC image" and working with customers and privacy/security experts to "create the right preload strategy".

The comments come a day after Lenovo confirmed that it had teamed up with Microsoft and McAfee to remove the Superfish adware following concerns about security.

Lenovo announced the partnerships in a public statement, promising that the tools will let users automatically block and remove the insecure, self-signing certificates used by Superfish.

"We are working with McAfee and Microsoft to have the Superfish software and certificate quarantined or removed using their industry-leading tools and technologies," the firm said.

"These actions have already started and will automatically fix the vulnerability even for users who are not currently aware of the problem."

The Microsoft removal tool will be integrated into Windows Defender version 1.193.444.0.

The tools are the latest step in Lenovo's bid to allay customer concerns that the firm put personal data at risk.

The problem erupted on the Lenovo forum earlier in February when several customers reported finding Superfish installed on their machines.

Superfish is adware that collects data such as web traffic information using fake, self-signed root certificates and then uses it to push advertisements to the user.

Lenovo claims that the adware is installed on only a limited number of machines and does not affect its business-focused Thinkpad line.

"We ordered Superfish preloads to stop and had server connections shut down in January based on user complaints about the experience," read the statement.

"While this issue in no way impacts our ThinkPads, any tablets, desktops or smartphones, or any enterprise server or storage device, we recognise that all Lenovo customers need to be informed."

Lenovo apologised for causing concern, but argued that the company never knowingly compromised its customers' privacy.

"We apologise for causing these concerns among our users. We are learning from this experience and will use it to improve what we do and how we do it in the future," read the statement.

"Superfish technology is purely based on contextual/image and not behavioural. It does not profile or monitor user behaviour. It does not record user information. It does not know who the user is. Users are not tracked nor re-targeted."

Lenovo is one of many firms dealing with privacy and security concerns. Researchers at FireEye reported on 20 February that Apple had ignored a dangerous flaw in the iOS operating system, codenamed Masque Attack II.