So... let's tell a story, of a company that wanted to sell some ad space. But they didn't want to provide ad space on their own website... they wanted to be able to run their ads on all kinds of websites. So they wrote a program they could put on people's computers to inject ads into whatever web page they happened to be looking at.
But then they found out about HTTPS, and how that would stop their ads from appearing - how could they inject their ads into an encrypted channel? Well, that's easy enough - you trick the browser into encrypting its messages with your own certificate, instead of the server's, so you can decrypt it and make your changes. But how do you get the browser to accept your certificate, without complaining? Simple - you just install it as a trusted root certificate with all permissions into the OS, so that everything running on that computer will consider you to be the Ultimate Authority on... pretty much everything.
And so, satisfied that it had managed to put its ads everywhere they wanted, this happy little company sent its program on every computer they sold, causing untold numbers of stability problems and security holes.
If this story sounds ridiculous... well, you may just be familiar with Lenovo Group
(hat tip to Aaeriele and Xanthir who I saw this from on Twitter...)
 Bonus terrible: Apparently
the root cert that this installs is the same for every installation... so if you extracted the private key from the software (which wouldn't be that hard) you can sign something that will be accepted by any Lenovo computer that had this thing installed. Also, the root cert doesn't get removed when you uninstall the software.