As reported by Rick Osgood of Hackaday:
The software actually installs a self-signed root HTTPS certificate. Then, the software uses its own certificates for every single HTTPS session the user opens. If you visit your online banking portal for example, you won’t actually get the certificate from your bank. Instead, you’ll receive a certificate signed by Superfish. Your PC will trust it, because it already has the root certificate installed. This is essentially a man in the middle attack performed by software installed by Lenovo. Superfish uses this ability to do things to your encrypted connection including collecting data, and injecting ads.
Well, if compromising the security of our personal financial transactions makes good business sense for Lenovo, we’ll just have to toughen up and deal with it, won’t we?
They claim that server-side interactions have been disabled since January, which disables Superfish. They have no plans to pre-load Superfish on any new systems.
Oh, good. False alarm. So they’ve stopped doing this. I totally trust them not to be full of “it.”