The US Department of Homeland Security (DHS) recommended Lenovo customers remove the Superfish adware from their computers and laptops. The Chinese electronics company installed the software on machines beginning in 2010 until January 2015, and Lenovo is no longer installing it on consumer products.
Despite Lenovo saying there were no cybersecurity issues, the National Cyber Awareness System said customers are vulnerable to SSL spoofing attacks. "Systems that came with the software already installed will continue to be vulnerable until corrective actions have been taken," the DHS said in a statement published by Reuters.
"We should have known about this sooner," said Brion Tingler, Lenovo spokesman, in a statement to Reuters. "And if we could go back, we never would have installed this software on our machines. But we can't, so we are dealing with this head on."
The company said PCs and laptops shipped between September and December last year had Superfish pre-loaded - and Tingler said he's unsure why the DHS believes it was installed as far back as 2010.
The "severe" vulnerability puts the Lenovo Yoga, Flex and MiiX lines at risk - along with E, G, U, Y and Z series of Lenovo products.