Lenovo still distributing Superfish

1413884897_463198Lenovo is still peddling notebooks pre-installed with dangerous, HTTPS-breaking adware, despite saying it had abandoned the practice.

Initially, Lenovo said the Superfish ad-injector posed no threat, a position it quickly reversed and then said the company stopped bundling the software in December.

Executives promised to release a removal tool that would delete all code and data associated with the adware.

However it looks like Lenovo might not have have told the full truth.

Ars Technica found that a new $550 Lenovo G510 notebook which was ordered in early February more than four weeks after Lenovo said it stopped bundling Superfish, still had the software.

It was not as if it was old stock stuck in the channel either, the onboard Windows had a December build date.

The next promise was about the official Superfish removal tool, which the PC maker states will “ensure complete removal of Superfish and certificates for all major browsers.”

While the tool removed the dangerous certificate—and as a result closed the serious man-in-the-middle vulnerability it posed—Lenovo’s software didn’t remove all Superfish-related data.

A Lenovo spokesman wrote in an e-mail to Ars: “If an individual customer has a specific question about their experience with the removal tool, they should contact the Lenovo Service line directly.”