Apparently, Superfish stinks worse than security industry watchers first thought. There was an uproar when the world discovered Lenovo, the world’s largest PC maker, has been shipping laptops pre-installed with a virus-like software that puts customers in the line of hacker fire. But uproar may soon be an understatement.

Since June, Lenovo customers have been reporting a program called Superfish, software that automatically displays advertisements in the name of helping consumers find products online. Superfish is designed to intercept all encrypted connections and leaves the door open for NSA-style spies to hack into PCs through man-in-the-middle (MitM) attacks, according to Robert Graham, CEO of security research firm Errata Security.

Lenovo was quick to apologize and release an automated tool that promises to eradicate Superfish adware from PCs. Microsoft has updated Windows Defender to remove the malware, and other security vendors have followed suit but that may not solve the problem for users who don’t know they are infected.

The Only Thing Worse . . .

On Friday, Facebook's Threat Infrastructure team issued an analysis of the adware, which concluded that “the new root CA (certificate authority) undermines the security of Web browsers and operating systems, putting people at risk." Now security researcher Filippo Valsorda is calling Superfish adware “catastrophic," saying that's “the only way all this mess could have been worse.”

Why? Because the Superfish proxy, which uses a Komodia content inspection engine, can be made to allow self-signed certificates without warnings. That opens the door to man-in-the middle attacks.

“What we all realized in horror is that the root private key is the same on all machines, so anyone can take that and sign fake certificates to use in MitM attacks,” Valsorda wrote in a blog post. “Komodia should be punished for jeopardizing the users, like probably all the companies that didn't do due diligence here.” Komodia could not immediately be reached for comment.

Lenovo: ‘We Are Learning’

“We ordered Superfish preloads to stop and had server connections shut down in January based on user complaints about the experience. However, we did not know about this potential security vulnerability until yesterday,” Lenovo said in a statement. “Now we are focused on fixing it.”

Lenovo vowed it has moved as swiftly and decisively as it can based on what it now knows. The company stressed that the issue does not impact any of its ThinkPads, tablets, desktops or smartphones -- or any enterprise Relevant Products/Services server or storage device.

“We apologize for causing these concerns among our users -- we are learning from this experience and will use it to improve what we do and how we do it in the future,” Lenovo said. “We will continue to take steps to make removal of the software and underlying vulnerable certificates in question easy for customers so they can continue to use our products with the confidence that they expect and deserve.”