The US government has advised users of Chinese PC maker Lenovo to remove the malicious application named Superfish installed on some Lenovo laptops due to cybersecurity issues.

The US Department of Homeland Security said the Superfish programme in the laptops allows the installation of a "non-unique trusted root certification authority (CA) certificate, allowing an attacker to spoof HTTPS traffic".

"All browser-based encrypted traffic to the internet is intercepted, decrypted, and re-encrypted to the user's browser by the application – a classic man-in-the-middle attack," the agency said in an alert.

Lenovo pre-installed the spyware, which intercepts users' web traffic to provide targeted advertisements, on some of its PCs starting in September 2014.

Because the certificates used by Superfish are signed by the CA installed by the software, the browser will not display any warnings that the traffic is being tampered with. Therefore, systems with the Superfish software installed are vulnerable to cyber attacks, as websites such as banking and email, can be spoofed without a warning from the browser.

Lenovo has earlier said it discontinued the practice of pre-installing the software, but systems with the software already pre-installed will continue to be vulnerable, the agency reminded.

It also urged customers to uninstall Superfish VisualDiscovery on Lenovo laptops along with the associated root CA certificate.

Laptops in Lenovo's Yoga, Flex and MiiX lines as well as its E, G, U, Y and Z series are affected by the adware, according to the company's support website.

Affected Products

The following Lenovo notebooks may be affected:

E-Series: E10-30

Flex-Series: Flex2 14, Flex2 15, Flex2 14D, Flex2 15D, Flex2 14 (BTM), Flex2 15 (BTM), Flex 10

G-Series: G410, G510, G40-70, G40-30, G40-45, G50-70, G50-30, G50-45

M-Series: Miix2 – 8, Miix2 – 10, Miix2 – 11

S-Series: S310, S410, S415, S415 Touch, S20-30, S20-30 Touch, S40-70

U-Series: U330P, U430P, U330Touch, U430Touch, U540Touch

Y-Series: Y430P, Y40-70, Y50-70

Yoga-Series: Yoga2-11BTM, Yoga2-11HSW, Yoga2-13, Yoga2Pro-13

Z-Series: Z40-70, Z40-75, Z50-70, Z50-75

How to Remove Superfish Visual Discovery and CA certificate

  1. Go to Control Panel, click on Programs and Features and uninstall VisualDiscovery.
  2. Press Windows key + R on your keyboard to bring up the Run tool, then search for certmgr.msc to open your PC's certificate manager.
  3. Click on "Trusted root certificate authorities" in the left-hand navigation pane, then double-click "Certificates" in the main pane.
  4. Find the Superfish entry, then right-click on it and select "Delete."

Microsoft has recently updated its Defender antivirus programme to automatically remove both the adware and the CA certificate from the Windows certificate manager, but not Firefox's certificate manager.

See the Mozilla guidance to delete CA certificates from Firefox web browser.

In addition, Lenovo has released an automated tool to remove the Superfish adware and certificates for all major browsers.