If you’ve missed it: Lenovo have been shipping pre-installed crapware that is basically an insta-rootkit on all their machines for over a year. It’s called Superfish, and it’s partly an image search tool, but it’s really about ad-insertion – it sticks Superfish-placed ads onto other peoples’ webpages.

And hey, guess what? Turns out it also sticks a broken SSL certificate in your machine and the password is publicly known and anyone an p0wn your machine at any time even if you uninstall their crapware. It is literally worse than Sony’s infamous CD rootkits and active exploits are circulating now.

Seriously, this is incredibly bad. Their current removal tool doesn’t even fix the problem, tho’ they’re promising one that does. But given how they’ve behaved so far (best summed by “eh, fukkit, and fuck you, losers”), I don’t expect any new one to work either and most certainly would not trust it.

So if you have a Lenovo machine that shipped with Windows in the last couple of years, you probably need to level it and install another OS – a direct-from-Microsoft copy of Windows would be fine, of course. If you’ve installed Superfish for some reason, well, same notation. It’s that bad, and yes, I really mean it.

Lenovo should go down over this. They won’t, but they should. Superfish needs to be sued out of existence. That might actually happen. It’d be nice, anyway. But they’ll probably just change their name and carry on.