It has been a rough couple of weeks for Lenovo since revelations surfaced that the PC maker was selling notebooks pre-installed with dangerous, HTTPS-breaking adware. Initially, the company said the Superfish ad-injector posed no threat, a position it quickly reversed. Then, company officials issued a mea culpa that said the company stopped bundling the software in December. For customers who remained vulnerable, executives promised to release a removal tool that would delete all code and data associated with the adware.
Based on the experience of Ars readers Chai Trakulthai and Laura Buddine, Lenovo overstated both assurances. The pair recently examined a $550 Lenovo G510 notebook purchased by a neighbor, and their experience wasn't consistent with two of Lenovo's talking points. First, the PC was ordered in early February more than four weeks after Lenovo said it stopped bundling Superfish, and yet when the notebook arrived in late February it came pre-installed with the adware and the secure sockets layer certificate that poses such a threat.
"Lenovo may be saying they haven't installed Superfish since December, but the problem is that they are still shipping out systems with Superfish installed," Buddine said. "The Windows build had a date of December. They apparently aren't sorry enough to re-image the computers they have in stock to remove the problem and they're still shipping new computers with Superfish installed."