Superfish Woes More Widespread

Wednesday, February 25, 2015 @ 11:02 AM gHale

The SSL interception library used by Superfish software installed on Lenovo laptops is also on at least a dozen other applications, researchers said.

Lenovo came into the spotlight last week after numerous individuals who acquired new laptops started complaining about ad injections made by a browser add-on from Superfish. It also turned out the application used a proxy and a self-signed root certificate to intercept HTTPS connections and inject the ads.

RELATED STORIES
Lenovo Stops Using Hackable Software
Piracy Investigation: Feds Seize Assets
Apple Works to Block Malware
Mitigations for DDoS Toolkit Attacks

Security researchers identified several problems. Besides the fact the adware breaks HTTPS browsing, every one of the Superfish certificates ends up signed with the same private key, protected by the same password, “komodia.”

Komodia is the name of the company that develops Komodia Redirector and Komodia SSL Digestor, the solutions used by the Superfish app to intercept connections and manipulate HTTPS traffic.

Komodia’s proxy software doesn’t correctly implement SSL, and it doesn’t validate certificates properly, according to security researcher Marc Rogers.

These issues could end up used a by an attacker to hijack an users’ connections.

The Komodia library is also on several products, including parental control software from Komodia and Qustodio, Kurupira Webfilter, Staffcop, Easy hide IP Classic, and Lavasoft Ad-aware Web Companion.

Facebook researchers found over a dozen applications using the library. The list of certificate issuers found includes CartCrunch Israel LTD, WiredTools LTD, Say Media Group LTD, Over the Rainbow Tech, System Alerts, ArcadeGiant, Objectify Media Inc, Catalytix Web Services, and OptimizerMonitor.

For their part, Lenovo apologized to customers for the incident and provided them with instructions and software for removing the Superfish app and the certificate. The company’s representatives believe that the risks identified by researchers are “theoretical.”



Leave a Reply

You must be logged in to post a comment.