Flutterby™! : Pre-installed malware

Researchers find insecure BIOS 'rootkit' pre-loaded in laptops. Alfredo Ortega and Anibal Sacco from Core Security Technologies suggest that it's easy to alter the "phone home" information in Computrace LoJack for Laptops to hijack the anti-theft service to do one's own nefarious bidding.

And Lenovo has been shipping laptops with "Superfish" adware injection software installed, it hijacks your Google searches and injects ads into them. It apparently installs it's own CA, to allow MitM attacks against any https site(!).

Addendum: EFF: Lenovo is breaking HTTPS security on its recent laptops:

Lenovo has not just injected ads in a wildly inappropriate manner, but engineered a massive security catastrophe for its users. The use of a single certificate for all of the MITM attacks means that all HTTPS security for at least Internet Explorer, Chrome, and Safari for Windows, on all of these Lenovo laptops, is now broken. If you access your webmail from such a laptop, any network attacker can read your mail as well or steal your password. If you log into your online banking account, any network attacker can pilfer your credentials. All an attacker needs in order to perform these attacks is a copy of the Superfish MITM private key. There is (apparently) a copy of that key inside every Superfish install on every affected Lenovo laptop, which has now been extracted and posted online.