• by Wendy Davis  @wendyndavis, November 26, 2018

A federal judge has granted preliminary approval to a deal that calls for computer manufacturer Lenovo and ad company Superfish to pay $8.5 million to settle a class-action lawsuit over adware that contained security flaws.

The settlement, tentatively approved last week by U.S. District Court Judge Haywood Gilliam in Oakland, California, calls for consumers who purchased adware-laden notebooks to receive at least $40, and as much as $750, depending on whether they incurred costs as a result of the software. Lenovo, which shipped the computers, agreed to pay $7.5 million, while Superfish agreed to pay $1 million.

If granted final approval, the deal will resolve a lawsuit stemming from Lenovo's 2014 decision to bundle the ad-serving software Visual Discovery -- developed by Superfish -- with new notebooks. Soon after the computers shipped, it emerged that the adware had a security flaw that left users vulnerable to hackers.

Visual Discovery inserted ads into a host of web pages, including secure HTTPS pages. To accomplish this, the software tinkered with Windows' cryptographic security, according to reports. The result was that the software may have placed consumers' encrypted data -- including passwords and bank account numbers -- at risk.

After reports surfaced about Superfish's problems, Lenovo said it stopped preloading the software and shut down server connections that enabled Superfish. The company also posted instructions telling people how to remove the program, and said it was working with McAfee and Microsoft to fix the security vulnerability created by the software.

Last year, Lenovo settled a complaint about the adware by the Federal Trade Commission and 31 attorneys general. The company agreed to pay $3.5 million to the state attorneys general, and to obtain consumers' explicit consent before pre-installing certain types of ad-serving software. Lenovo also agreed to allow security audits for 20 years.