The software — which the company says was designed to create relevant advertising for online shoppers based on their website behavior — could also observe behavior that users don’t want observed, said Kevin Lanning, chief information security officer for UNC Information Technology Services, in an email.
“The Superfish software appears to have the ability to intercept encrypted traffic for every secure (HTTPS) website a user visits,” he said. “Given the specifics of Superfish software implementation, attackers may be able to create a website that imitates or masquerades as another secure website, and computers that have Superfish installed might fail to identify such imitation websites as forgeries.”
Lenovo has asked all computer owners to uninstall the software. Lanning said the software could be uninstalled by following instructions on Lenovo’s website or by calling ITS’s help number.
David Eckert, dispatch service manager for ITS, said in an email the software was not installed on Carolina Computing Initiative models because they come with a custom-built UNC software preload that has never included Superfish or a similar software.