In the wake of the Superfish debacle, Lenovo CTO Peter Hortensius sent out an open letter earlier today once again apologizing for Superfish.

In the letter, Hortensius detailed the first steps they’ve taken to correct the issue, including stopping pre-loads of the Superfish software, offering instructions on manually removing the software, providing an automated tool for removing the software, and working with antivirus software companies such as Microsoft, Symantec, and McAfee to automatically detect and remove the software.

Furthermore, Hortensius detailed options they’re considering to ensure issues like this will not happen again. This includes creating a cleaner PC image, working with users and security experts to create the right preload strategy, and soliciting and assessing opinions of their harshest critics going forward.


Full Letter:

Superfish Update – An Open Letter from Lenovo CTO Peter Hortensius

Beginning in September 2014, we made a decision to ship some of our consumer notebooks with Superfish.  This software frustrated some users without adding value to the experience so we were in the process of removing it from our preloads.  Then, we saw published reports about a security vulnerability created by this software and have taken immediate action to remove it.  Clearly this issue has caused concern among our customers, partners and those who care about Lenovo, our industry and technology in general.  For this, I would like to again apologize. Now, I want to start the process of keeping you up to date on how we are working to fix the problem and restore your faith in Lenovo.

We have already taken several critical first steps:

  • We stopped the preloads and will not include this Superfish software in any devices in the future.
  • We have worked on our own and with our partners to make your PCs safe from this vulnerability as quickly and easily as possible:
    • On Thursday, Feb. 19, Lenovo provided a manual fix and by Friday, Feb. 20, we provided an automated removal tool to make it simple for our customers to remove Superfish and related files.
    • Also on Friday, our partners, Microsoft, McAfee and Symantec updated their software to automatically disable and remove this Superfish software. This means users with any of these products active will be automatically protected. We thank them for their quick response.
    • Together, these actions mean all new products already in inventory will be protected. Shortly after the system is first powered-on the AV program will initiate a scan and then remove Superfish from the system. For systems which are re-imaged from the backup partition on the HDD Superfish will also be removed in the same manner. For products already in use, Superfish will be removed when their antivirus programs update.

We have communicated as rapidly as possible with customers, partners and industry watchers and influencers.  I hope that with every communication, we are better informed and more clear on what is important.

  • Now, we are in the midst of developing a concrete plan to address software vulnerabilities and security with defined actions that we will share by the end of the week. What I can say about this today is that we are exploring a wide range of options that include:
    • creating a cleaner PC image (the operating system and software that is on your device right out of the box);
    • working directly with users, privacy/security experts and others to create the right preload strategy quickly;
    • and soliciting and assessing the opinions of even our harshest critics in evaluating our products going-forward.

While this issue was limited to our consumer notebooks and in no way impacted our ThinkPads; any tablets, desktops or smartphones; or any enterprise server or storage device, we recognize that all Lenovo customers may have an interest in where we are and what is next.  The fact is our reputation touches all of these areas, and all of our customers.  Now, we are determined to make this situation better, deliver safer and more secure products and help our industry address – and prevent — the kind of vulnerabilities that were exposed in the last week

Thank you.
Peter Hortensius


Our Take

I think Superfish has truly been a humbling experience for Lenovo and the apology from their Hortensius is sincere. While Hortensius was the one to let Superfish slip by in the first place, you really have to give him credit as he has not only owned up to the mistake, but has taken quick action to remedy the situation.

I’m also happy to see that he’s learning from this experience. In his letter, one of his plans is to create a “cleaner PC image”. I think this is something that every system integrator needs to incorporate into their pre-load strategy. Over the years, pre-loaded crapware has really gotten out of hand, seriously impacting user experience. I’ll be sure to keep a close watch on Lenovo and the industry as a whole, but aside from the security issues Superfish has caused, I’m almost a bit glad it happened. It was just just the wakeup call the entire industry needed.