Now, Lenovo admits to the gravity of the problem (even if the company behind Superfish does not, as shown by a spokesperson's comments to Ars Technica) and is working with others in the industry to fix it. Still, the question remains -- how did a security hole this problematic get there in the first place? As Hortensius told me, that's the question he and his team will be trying to answer over the next week or so.

How to make Superfish go away

The first priority is making sure that Superfish disappears and the security hole is closed, and there's several ways to make sure your PC is secured. Browser test pages (Filippo.io, LastPass) can tell you if you're affected and give tips on removal. Lenovo has its own list of uninstallation instructions, and as of today Microsoft's Windows Defender scanner has been updated to remove Superfish and its security certificate. You can expect for other scanners to get a similar update soon, and of course Lenovo is working on an uninstall program of its own that could be available later today.

Why is Superfish such a big problem?

Superfish's security problems are worsened by practices researchers have uncovered over the last day or so: not only is its security certificate easily extracted, as Rob Graham discovered, it uses the same one on every computer. It appears that Superfish (and others) used technology from a company called Komodia to pull off its hamfisted intervention, and all of them are equally vulnerable. Even worse, beyond the initially discovered MITM vulnerability and weak encryption, the Komodia package can be easily tricked into accepting any certificate as valid. According to CloudFlare security team member Filippo Valsorda, that means it's easy to intercept encrypted traffic from anyone with Komodia-powered software on their system.

What is Lenovo doing about it

While we wait to find out the next way this will get worse, Lenovo says it is taking steps to turn things around. Of course, as security researcher Kenn White asked, after the company ignored respected security researchers "activating the Batsignal", restoring its public trust will be tricky. The software appeared on computers beginning in September, and posters on Lenovo support forums were asking questions that should've raised alarms for months.

This is not a level of maintenance like changing oil; this is whether your headrests will sprout spikes in an accident. - Munin‮repeeK eroL ‭ (@munin) February 20, 2015

According to Hortensius, Lenovo does security checks for software that it preloads, but apparently Superfish bypassed those even with this glaring security hole. He says "If we knew then what we know now, we'd never have shipped this", and that security practices, even the ones the company will institute going forward can never be 100 percent. He says that information with real substance is coming, that will detail how Lenovo plans to avoid getting caught out like this again, which will be key. Patching the software is relatively simple -- filling in this hole in the company's reputation may not be so easy.

[Image credit: (shark) Martin Barraud, (Windows Defender scan) Filippo Valsorda]

Lenovo: