UPDATE: Lenovo has listed the model numbers of its computers that are likely to include pre-installed third-party software linked to a vulnerability. Attackers can potentially exploit this vulnerability to read encrypted traffic and install malware. The third party software product was pre-installed on some Lenovo computers running Windows.
The computer maker has also released an automated tool to enable users to address the vulnerability by removing the third-party software product and its associated security certificate. The tool is available as an executable program for users to download and run. Lenovo has also advised how the software product can be removed manually.
The model numbers that may feature the third-party software product are:
G Series: G410, G510, G710, G40-70, G50-70, G40-30, G50-30, G40-45, G50-45
U Series: U330P, U430P, U330Touch, U430Touch, U530Touch
Y Series: Y430P, Y40-70, Y50-70
Z Series: Z40-75, Z50-75, Z40-70, Z50-70
S Series: S310, S410, S40-70, S415, S415Touch, S20-30, S20-30Touch
Flex Series: Flex2 14D, Flex2 15D, Flex2 14, Flex2 15, Flex2 14(BTM), Flex2 15(BTM), Flex 10
MIIX Series: MIIX2-8, MIIX2-10, MIIX2-11
YOGA Series: YOGA2Pro-13, YOGA2-13, YOGA2-11BTM, YOGA2-11HSW
E Series: E10-30
Edge Series: Edge 15
You can test your Lenovo computer for this vulnerability by trying to access the Can I Be Super Phished website from your computer. This site has been set up to test for the vulnerability and is safe to access. It also contains additional information on addressing the vulnerability. Visiting this site should prompt a security warning from your browser when you follow the link.
If you do receive a warning indicating the site is untrusted, this indicates your computer does not have the vulnerability. If you can access the site without observing any security notification, it is likely your computer has the vulnerability and you should take steps to remove it.
You should undertake this test using Internet Explorer or Google Chrome browsers. Firefox may not provide a clear result.
All Lenovo users should check
We advise any user of Lenovo laptops or computers to check to see if their computer is vulnerable. The vulnerability is caused by software installed by Lenovo that was designed to inject advertisements into websites you visit. In order to include encrypted websites, a security certificate was pre-installed onto the computer.
Security certificates tell your computer which websites and software can be trusted. They are important to your online security, including for establishing secure connections to encrypted websites. (Trusted, encrypted websites commonly display a padlock in the browser address bar.)
Security certificates have two components, a public key and a private key. As their names imply, the public key can be known by everybody, while the private key needs to be kept secret (in this case, only Lenovo should have access to the private key).
This vulnerability arises because the private key was included on affected Lenovo laptops, stored within the pre-installed advertising program.
Details of the private key are easily accessible online, so can be used by anyone to forge fake security certificates, impersonate the advertising program and carry out a range of possible attacks.
These attacks may include accessing or spying on encrypted traffic between your computer and secure websites, as well as ‘signing’ malware with these certificates, meaning your computer will trust this malware as though it was legitimate and safe software.