Feb 19, 2015 · 1 minute

Lenovo has opened consumers up to man-in-the-middle attacks by including the Superfish adware -- or, as some have taken to calling it, malware -- on its Windows-powered devices.

Superfish purports to offer visual search tools that let consumers take a picture of an object, filter the image through its services, and view similar objects from around the Web.

According to the Guardian, however, its actual purpose is to insert third-party advertisements into various websites. And that's where Superfish crosses over from "adware" to "malware."

Injecting ads into Web pages requires Superfish to replace the certificate used to ensure connections to sensitive websites, like email services and banking sites, are secure. By using its own certificate instead, Superfish undermines one of the most ubiquitous security protocols on the Web.

That would be bad enough on its own. But as the Verge reports, Superfish hasn't just helped itself to encrypted information -- it's also made countless Lenovo computers insecure:

It appears as though Superfish has used the same private key for its spurious root certificate on every machine. As Eric Rand, researcher at Brown Hat Security, explained to The Verge, if someone was able to crack the key, nefarious individuals could create certificates that all Lenovo machines inherently trust, or write malicious software that all Lenovo machines see as trusted programs.
Lenovo has told various outlets that Superfish isn't installed on new machines. But as of Wednesday night, one researcher was still able to order a Lenovo PC with the nefarious software pre-installed.

The issue is said to affect all browsers, meaning that uninstalling Superfish won't fix the problem. Now it seems millions of people will be vulnerable for the foreseeable future -- and because browsers won't warn them of Superfish's issues, they likely won't even know they're at risk.

Consumers perhaps shouldn't be a surprised an adware company has put their security at risk. But what's more troubling is that the world's largest Windows manufacturer let it happen.

[photo by Kenneth Hagemeyer]