One of the most daunting challenges of any security problem in consumer software is the difficulty of distributing a patch to everyone affected. Unless the software is tightly locked down and updates are mandatory, there are inevitably users who slip through the cracks, fail to apply an update when told to do so, or rarely connect online. It was inevitable that Lenovo would run into some of these problems with Superfish, but the company appears to have done only the minimum required to actually pull the software off the shelves.

For example, while Lenovo may have stopped shipping Superfish in January, it didn’t actually do any recalls to prevent previously built systems from including the malware — which means, yes, it’s still perfectly possible to buy a laptop with Superfish, assuming it shipped out before Lenovo’s change of heart. The Lenovo removal toolkit also doesn’t quite work as advertised — while it does remove the Superfish certificate and close the man-in-the-middle attack, it leaves behind the Superfish executable, SuperfishCert.dll, and at least one registry setting related to VisualDiscovery.

Lenovo isn’t the first company to have a less-than-perfect uninstaller and it won’t be the last. But in situations like this, nailing every last corner case is particularly important. The company’s failure to recall the systems already in flight ensures that the impact of Superfish will last for months, as infected systems continue to propagate through the supply channel. Superfish, therefore, won’t just fade away without considerable action from consumers to monitor their own systems — and since infected users are likely less technical to start with, it could take years before the bug is completely cleaned out of the industry.

Meanwhile, at Computerworld, Michael Horowitz points out Lenovo isn’t entirely to blame for the Superfish debacle. One of the only reason that the Superfish attack works in the first place is because any Certificate Authority can vouch for the accuracy of any website. Browsers are designed to trust CA’s without requiring additional authentication. His blog post details how each browser uses a completely different workflow for identifying who issued a certificate for a supposedly trusting site, underlining how difficult it is for an end user to establish whether they’re talking to a legitimate website in the first place. Even worse, the same website’s Certificate Authority is actually identified four different ways — ” VeriSign Inc, VeriSign (without the Inc), Symantec Corporation and… Symantec Class 3 EV SSL CA – G3.”

Lenovo still deserves the blame it’s taken for Superfish, and the company’s promised compensation has been laughed at as inadequate by many, but it’d be foolish to pretend that the problems with comprehensive internet security stop and start with a bad certificate included by an overzealous OEM. This is a hydra with many heads.