The company has provided a PDF that walks users through uninstalling the Superfish software itself, as well as how to remove the security certificate. The instructions are fairly straightforward and should take users only a few minutes.
There are a number of affected machines that were produced between September and December 2014:
G Series: G410, G510, G710, G40-70, G50-70, G40-30, G50-30, G40-45, G50-45
U Series: U330P, U430P, U330Touch, U430Touch, U530Touch
Y Series: Y430P, Y40-70, Y50-70
Z Series: Z40-75, Z50-75, Z40-70, Z50-70
S Series: S310, S410, S40-70, S415, S415Touch, S20-30, S20-30Touch
Flex Series: Flex2 14D, Flex2 15D, Flex2 14, Flex2 15, Flex2 14(BTM), Flex2 15(BTM), Flex 10
MIIX Series: MIIX2-8, MIIX2-10, MIIX2-11
YOGA Series: YOGA2Pro-13, YOGA2-13, YOGA2-11BTM, YOGA2-11HSW
E Series: E10-30
Meanwhile, Lenovo is busy working on damage control. Lenovo’s chief technology officer, Peter Hortensius, was interviewed by both the Wall Street Journal and Bloomberg today but has avoided discussing the severity of the Superfish root certificate authority.
Hortensius claims that security analysts are “dealing with theoretical concerns” and “we have no insight that anything nefarious has occurred.” Meanwhile, security analysts argue that the software has opened Lenovo users to sizable security risks.
The Electronic Frontier Foundation wrote today that “Lenovo has not just injected ads in a wildly inappropriate manner, but engineered a massive security catastrophe for its users.”
Lenovo is, however, working on a piece of software to fully erase Superfish from computers for release in the near future. Hortensius admitted in the Bloomberg interview that Lenovo “made a mistake. Our guys missed it. We’re not trying to hide from the issue — we’re owning it.”
Update: Lenovo has released an automatic removal tool for Superfish and is working with Microsoft and McAfee to have the certificate quarantined or removed automatically, which has already begun.