It looks like you're new here. If you want to get involved, click one of these buttons!
Congratulations, Lenovo laptop users. You've got malware on your laptop. Installed by Lenovo. Intentionally. Not simple bloatware, but a man-in-the-middle attack on all "secure" browser connections, rendering them trivially insecure. Seriously.
For a number of months now, Lenovo has been shipping laptops with Superfish malware pre-installed. You're probably used to laptop vendors installing random junk on their laptops to bother the end user. But Superfish isn't just random junk.
The idea of Superfish is to replace the ads on web sites with Lenovo's own ads. For example, if it attacks this site, then the ads you'd see if you don't disable them would be ads served by Lenovo so that Lenovo gets paid for the ads, rather than ads served by this site so that this site gets paid. That's bad, but perhaps not exceptionally bad as bloatware goes.
The problem comes with encrypted sites. If a site is encrypted, Superfish normally wouldn't be able to see what's an ad and what isn't, so it wouldn't be able to replace a web site's ads with its own. Superfish's solution to that is a man-in-the-middle attack on your browser connection.
For example, you want to buy something off of a site with ads and give them your credit card information. Superfish intercepts all browser communication so that, instead of the web site sending information to your browser, it sends the information to Superfish, which decrypts the page, replaces ads, encrypts the connection again, and passes it along to your browser.
It gets worse. Superfish apparently didn't lock itself down very well, so that all "secure" browser connections on infected machines are intrinsically insecure. If you do online banking via a Superfish-infected computer, your connection is insecure and there's nothing your bank can do about it.
The only thing you can do about it is to remove the Superfish certificate authority from your computer; merely uninstalling the Superfish software doesn't suffice. That's because Superfish installed a self-signed root certificate in order to enable its man-in-the-middle attack, and apparently used the same private key for all computers and made the private key easy to find. If you don't know what that means, that's kind of the point. Installing certificate authorities is the sort of thing that browser vendors are supposed to worry about, not end users.
The problem here isn't that Lenovo installed man-in-the-middle malware on their laptops and then didn't lock it down very well, leaving the laptops vulnerable. The problem is that Lenovo installed ma-in-the-middle malware on their laptops. Period. End of sentence.
This is not the sort of security glitch that an incompetent company can do accidentally. It's not like a buffer overflow error or some such, where a well-intentioned company accidentally made its software vulnerable somehow. You don't accidentally create a man-in-the-middle attack. This is malware that was knowingly and intentionally installed by Lenovo on millions of laptops.
And then when people complained, Lenovo brushed it off for months. Only in the last few days, when security researchers demonstrated just how bad the problem really was, did Lenovo take it seriously. Even so, Lenovo claims that the security holes haven't been abused by anyone, other than Lenovo and its malicious adware, of course. That's unknowable, but even if it's true, having a huge security hole published like this means that it surely will get abused quickly if people don't remove it.
This isn't just the sort of thing that a reputable company simply wouldn't do. Most disreputable companies wouldn't do it, either, perhaps due to concerns over prison time or at least class action lawsuits. It is shocking that Lenovo, which might be the company that sells more laptops than any other in the world, thought this was a good idea.
Is it too harsh to say, don't buy anything Lenovo ever again? Maybe. But given the intentional and malicious nature of the attack, I would say, don't buy anything Lenovo ever again unless you're willing to, at minimum, wipe all storage media and do a clean install of whatever OS you want using media that Lenovo hasn't touched.
If you want some media sources for this, then here you go: