A nice summary from Marc Rogers:
Superfish replaces legitimate site certificates with its own in order to compromise the connections so it can install its adverts. This means that anyone affected by this adware cannot trust any secure connections they make.
Remember Sony? The reality is that this will not put Lenovo out of business. The repercussions for doing something obviously wrong are vanishingly small when compared to the money made by doing it. These are measured actions that involve many levels of approval and planning. These are not accidents.
Marc on the Lenovo response:
However its hard to see how they could “fix” this software. It’s core functionality undermines the security of SSL rendering the last decade or so of work making the web secure completely irrelevant.
So, the arms race continues.
By way of @SwiftonSecurity