The Intel NUC category has been an interesting product line to analyze, as it provides us with insights into where the traditional casual / home use desktop market might end up. UCFF (ultra-compact form factor) PCs have had an excellent reception in t…
This week Apple has announced that they are initiating a new repair extension program for the MacBook Pro, in order to address video corruption and stability problems with certain models. The program offers extended repair service for the 15” and 17” 2011 MacBook Pros, along with the 2012 and Early 2013 15” Retina MacBook Pros.
Under the terms of the program, covered laptops that are experiencing video issues such as display corruption, system crashes, or other glitches will be eligible for free repairs through Apple. Furthermore all affected systems are eligible regardless of warranty status, making this a true extension in every sense of the word as the bulk of the systems this program covers are past their extended warranty expiration dates. Meanwhile in order to compensate any users who have already suffered from the issue, Apple is also offering reimbursements to those customers who have already paid for repairs.
MacBook Pro Display Corruption (Image Courtesy 9to5Mac)
The MacBook Pro repair program comes less than 2 years after Apple’s last repair program, which in 2013 saw Apple offering free video card replacements and repairs for the mid-2011 27” iMac. And given the similarities between the problems in the MacBook Pro and the iMac, this has raised a few eyebrows. While the 2011 iMac and MacBook Pros use different GPUs, both systems use GPUs from AMD’s Radeon HD 6000M series, with the iMac using the higher-end 6970M while the MacBook Pros used the 6490M, 6750M, and 6770M GPUs.
However throwing a wrench into any common thread between these systems, the last of the MacBook Pros covered by the repair program, the first generation 15” Retina MacBook Pros, used NVIDIA’s GeForce GT 650M instead. There is also the matter of differences in construction – iMacs used MXM cards, MacBook Pros use GPUs soldered on to the logic board – and even differences in operation. Namely, while the iMac used its dGPU exclusively the MacBook Pros all used switchable graphics, which means that the MacBook Pros are often being driven by their iGPU rather than their dGPU.
Early 2011 15″ MacBook Pro: CPU & GPU Cooling; the GPU is the topmost chip (Image Courtesy iFixit)
Consequently while we first suspected that this is a common issue revolving around the Radeon HD 6000M series – and certainly we can’t rule that out – there seems to be more that’s going on here than a common failure in one line of GPUs. This could include Apple opting to address multiple modes of failure under a single repair program, or even just pure coincidence. At the same time we haven’t seen a widespread repair program issued by other OEMs for any of these GPUs, which may mean that Apple is the only OEM being seriously affected, unlike NVIDIA’s bumpgate which saw repair programs from a number of OEMs.
For that reason I find myself wondering whether another factor such as cooling has been playing a role here. Although these Apple devices all use different coolers, one common element in Apple’s iMac and Retina MacBook Pro designs has been the comapny’s aggressiveness in controlling the thickness of those devices, leading to them pushing the envelope on cooling relatively high TDP processors in tight spaces.
In any case, the full details of the program, including the affected models and repair instructions, are available over at Apple’s website.
The Intel NUC category has been an interesting product line to analyze, as it provides us with insights into where the traditional casual / home use desktop market might end up. UCFF (ultra-compact form factor) PCs have had an excellent reception in t…
This week Apple has announced that they are initiating a new repair extension program for the MacBook Pro, in order to address video corruption and stability problems with certain models. The program offers extended repair service for the 15” and 17” 2011 MacBook Pros, along with the 2012 and Early 2013 15” Retina MacBook Pros.
Under the terms of the program, covered laptops that are experiencing video issues such as display corruption, system crashes, or other glitches will be eligible for free repairs through Apple. Furthermore all affected systems are eligible regardless of warranty status, making this a true extension in every sense of the word as the bulk of the systems this program covers are past their extended warranty expiration dates. Meanwhile in order to compensate any users who have already suffered from the issue, Apple is also offering reimbursements to those customers who have already paid for repairs.
MacBook Pro Display Corruption (Image Courtesy 9to5Mac)
The MacBook Pro repair program comes less than 2 years after Apple’s last repair program, which in 2013 saw Apple offering free video card replacements and repairs for the mid-2011 27” iMac. And given the similarities between the problems in the MacBook Pro and the iMac, this has raised a few eyebrows. While the 2011 iMac and MacBook Pros use different GPUs, both systems use GPUs from AMD’s Radeon HD 6000M series, with the iMac using the higher-end 6970M while the MacBook Pros used the 6490M, 6750M, and 6770M GPUs.
However throwing a wrench into any common thread between these systems, the last of the MacBook Pros covered by the repair program, the first generation 15” Retina MacBook Pros, used NVIDIA’s GeForce GT 650M instead. There is also the matter of differences in construction – iMacs used MXM cards, MacBook Pros use GPUs soldered on to the logic board – and even differences in operation. Namely, while the iMac used its dGPU exclusively the MacBook Pros all used switchable graphics, which means that the MacBook Pros are often being driven by their iGPU rather than their dGPU.
Early 2011 15″ MacBook Pro: CPU & GPU Cooling; the GPU is the topmost chip (Image Courtesy iFixit)
Consequently while we first suspected that this is a common issue revolving around the Radeon HD 6000M series – and certainly we can’t rule that out – there seems to be more that’s going on here than a common failure in one line of GPUs. This could include Apple opting to address multiple modes of failure under a single repair program, or even just pure coincidence. At the same time we haven’t seen a widespread repair program issued by other OEMs for any of these GPUs, which may mean that Apple is the only OEM being seriously affected, unlike NVIDIA’s bumpgate which saw repair programs from a number of OEMs.
For that reason I find myself wondering whether another factor such as cooling has been playing a role here. Although these Apple devices all use different coolers, one common element in Apple’s iMac and Retina MacBook Pro designs has been the comapny’s aggressiveness in controlling the thickness of those devices, leading to them pushing the envelope on cooling relatively high TDP processors in tight spaces.
In any case, the full details of the program, including the affected models and repair instructions, are available over at Apple’s website.
For the many of us that have purchased a laptop, we are somewhat used to the amount of bloatware that comes pre-installed. Most of this relates to the company specific software, or free trials for office applications or anti-virus software. I would imagine that the more technologically savvy users uninstall some of this bloat for themselves and their family and friends, but it does give an opportunity for the manufacturer to install what they want before the device gets shipped.
Here at AnandTech we receive laptops on a regular basis for review, and where we can we tend to ask for retail units so we can analyze the hardware without fear of getting a ‘review-focused’ sample. The same thing goes for motherboards, SSDs, and graphics cards, which also come with their own software but the user has to specifically install everything. With a laptop, smartphone, tablet, workstation, or notebook, it all comes pre-prepared for the user to plug and play. The demand to remove the bloatware has led to smartphones and tablets being offered with pure stock versions but also carrier customized ones, and some users get the choice of both.
A topic that has been in the news today, and whose symptoms date back a little further, has been with Lenovo laptops and notebooks. This software is called SuperFish and comes as a browser add-on, which Lenovo calls a ‘Visual Discover’ program that detects when a website has advertising and replaces it with targeted images based on what the user is looking at in order to make informed choices at potentially lower prices. This comes with a variety of issues.
First, it replaces the advertisement(s) on the website, which offers the website a form of income (such as AnandTech and other advertiser driven models). The new advertisement redirects the link to a server that may benefit Lenovo, distorting the ad views for that particular website and shifting income back to the laptop manufacturer.
Second, SuperFish is actively scanning the websites that people look at, resulting in privacy issues. Lenovo has stated that this software analyzes images in an algorithmic pattern (presumably similar to Google Goggles) rather than tracking the behavior of the user, but without access to the code most users will still not trust the software. After consistent issues regarding security and tracking in the media recently, especially with certain ‘Smart TVs’, it is understandable how users are concerned over devices that do not respect their privacy.
Third, the best explanation for SuperFish comes down as adware. Malware and adware have been a common threat of the century when it comes to web browsing, where software places unwanted advertisements in the eye-line of the user to generate revenue. If we take that definition then SuperFish falls under that category, no matter how it is dressed up.
The fourth issue (and arguably most severe issue) revolves around security. This is twofold – the SuperFish software will intercept any HTTPS encrypted webpage that has advertisements when it replaces them with its own, creating a mix of secure and insecure content. This allows other software to come in and potentially inject its own attack, stealing sensitive information. The second issue with security is that SuperFish issues its own SSL certificates for a large number of common sites, with severely reduced security than what is often required, such as with banks with the example that is circling the internet:
This essentially amounts to a fake root certificate, necessary for SuperFish to intercept HTTPS connections to do its image analysis, but in the process giving SuperFish access any information passed via HTTPS. Any and all alarm bells should be ringing in everyone’s ears at this point, as this means the SuperFish software has the means to see bank information, personal information, and any other sensitive information. These certificates are accepted because Lenovo has pre-installed the PC with details to accept SuperFish certificates, essentially creating a ‘self-signing authority’.
But most damaging of all is the potential for these certificates to be used by malicious third parties. As it turns out, the security of these certificates would seem to be using SHA-1, which is insecure and can be overcome with the right software and ordinary computing hardware. The 1024-bit RSA key has also been cracked, with the private key being bundled with the software in order to execute on-the-fly digital certificate signing. Consequently researchers have already cracked the key and password with relatively little effort, exacerbating the scale of the situation. Easily repeatable by hackers, this would allow a hacker to come in and use the same password/key combination to sign their own fake SSL certificates against the SuperFish root certificate, in essence allowing anyone with network contol to execute a man-in-the-middle attack on any Lenovo system with the SuperFish root certificate installed.
The reason this situation has come to the forefront today is due to a tweet on Wednesday by the co-director of the Open Crypto Audit Project and a single forum post by a Lenovo employee, describing how SuperFish works:
Despite whatever good intentions Lenovo had behind the software, the implementation as well as the execution leave a lot to be desired, especially in a climate where security and privacy are key factors with their main user demographic. I doubt that any such software would ever been considered in this digital age as viable, unless it was forced upon a user at a work machine to only ever be used for that purpose. But for home users, this post waves a black flag followed by a red one – the race is being stopped and you are being disqualified.
There are two elements to this story from Lenovo. Perhaps understandably, the forum post mentions that SuperFish is currently disabled on Lenovo’s end. However, the software is still present on the user machines and most importantly the weak root certificate is still installed.
The next is an official response from Lenovo on SuperFish, which you can read here. A brief summary is included here:
As noted, the response from the community about SuperFish has been negative. Marc Rogers writes a particularly scathing post about the situation, and mainstream media such as the BBC is actively picking up on the issue. Over 30 models are affected by this software, all of which are noted in the official Lenovo response, and details are provided on how to remove the software. If you think you are affected, @FiloSottile is hosting a SuperFish detector at https://filippo.io/Badfish/. There are also extra instructions to remove malicious certificates from a system at the bottom of the page here.
Lenovo has stated that new units are no longer preloaded with SuperFish. However, there are most likely units still in the supply chain from before January that have the software. Lenovo is issuing an update to SuperFish to disable itself if the user accepts the user agreement on first use.
The end result is that this comes at the expense of Lenovo’s reputation. As a brand that has made it into most of the largest markets around the world, there’s an element of trust that takes years to build and a single action to erode. I suspect there will be some calls for investigations or forms of compensation, and at this point it is difficult to estimate if any legal action will be sought or anything illegal can be proven due to compromised systems. Lenovo at this time is treading carefully, only providing an official statement on the issue despite the initial furor caused over a single forum post that has now been viewed over 100,000 times.
I’m sitting at my work desk with a Core-M based Yoga 3 Pro and fortunately it is not one of the models affected. Loading up a detection website confirms this. Normally on AnandTech our testing is directed mostly at the hardware, the performance and the design choices made, but rarely the politics. It is a difficult subject for a website like AnandTech to tackle, and given the amount of information around, it is important to stick to the facts here. There has already been a backlash over social media about SuperFish, and Lenovo has acted quickly. Some users will be expecting an apology, rather than the attempted justification, and we will have to see how this situation develops. I can imagine Lenovo not stating anything except through official channels for a while. They will be presenting and have a booth at Mobile World Congress in March, so we may (or may not) see any development then.
Sources: Lenovo, Marc Rogers, Errata Security, @FiloSottile
Update 2/20: It is now being reported that Windows Defender is taking a grim view of SuperFish and knocking it out of the frying pan and into the fire. Anyone for baked cod? Defender will now remove SuperFish as well as the installed certificate authority and the certificates still on the system. @FiloSottile has screenshots showing Defender in action:
Update 2/23: Lenovo has now launched its own tool for removing SuperFish and all certificates for major browsers. Also available is the source code for the software, and manual instructions for users who do not wish to install the tool. I can all be found here.