Lenovo is now changing its stance on the Superfish adware that was bundled on some of its PCs between October and December 2014. Initially, Lenovo claimed there was no security risk from Superfish, but as it turns out, the risk is real and it extends beyond just Lenovo.
On Feb. 19, Lenovo published a statement that noted it had thoroughly investigated Superfish and did not find any evidence to substantiate security concerns. On Feb. 20, Lenovo changed its official position on Superfish and updated its statement admitting that, in fact, there are security risks to the adware technology that it bundled with its PCs.
Lenovo has also issued a security advisory and labeled the Superfish adware as a vulnerability that has the potential impact of being a man-in-the-middle (MiTM) attack.
“Vulnerabilities have been identified with the software, which include installation of a self-signed root certificate in the local trusted CA [certificate authority] store,” Lenovo’s advisory states.
By having a self-signed root certificate, the Superfish adware could have potentially been able to see a user’s encrypted traffic, exposing the user to information disclosure risks. While Lenovo as of Feb. 19 did, in fact, have a basic removal tool in place for Superfish, the company did not have a tool that would remove the root CA. As of Feb. 20, Lenovo now has an automated tool that will remove all the Superfish components. Lenovo has also provided instructions for those wanting to install Superfish and its associated root CA manually.
Lenovo isn’t the only organization that is sounding the alarm on Superfish and its malware potential. The United States Computer Emergency Readiness Team (US-CERT) issued an alert on Feb. 20 that also reveals that there is risk that goes beyond just Lenovo.
“The underlying SSL [Secure Sockets Layer] decryption library from Komodia has been found to be present on other applications, including KeepMyFamilySecure,” US-CERT warned in its alert.
Komodia is the firm behind the Superfish adware technology that Lenovo deployed. Komodia’s SSL Digestor technology, in particular, is what has caused security concerns. US-CERT has also issued a broader vulnerability note about SSL Digestor and its risks.
“An attacker can spoof HTTPS sites and intercept HTTPS traffic without triggering browser certificate warnings in affected systems,” US-CERT warns in its vulnerability note on the Komodia technology.
The only solution that US-CERT offers for dealing with the technology’s risk is to uninstall any software that included the Komodia SSL Digestor. US-CERT’s vulnerability note lists multiple vendors that are impacted by the SSL Digestor, including Atom Security, Lavasoft, Qustodio, Kurupira, Infowise and Websecure.
The full impact of the Komodia technology, however, is likely much wider than what US-CERT has warned about.
Matt Richard, threats researcher on the Facebook Security Team, wrote a detailed note about Superfish. According to Facebook’s research, more than a dozen software applications use Komodia’s software libraries. Some of applications that Facebook found to be using the Komodia technology included CartCrunch Israel, WiredTools, Say Media Group, Over the Rainbow Tech, System Alerts, ArcadeGiant, Objectify Media, Catalytix Web Services and OptimizerMonitor.
“Some of these applications appear as games, while others seem to generate pop-ups based on your search behavior or claim to perform a specific function like Superfish’s Visual Search,” Richard wrote. “What all of these applications have in common is that they make people less secure through their use of an easily obtained root CA, they provide little information about the risks of the technology, and in some cases, they are difficult to remove.”
While Lenovo initially admitted that Superfish was just adware, other vendors had already been labeling technology using the underlying Komodia technology as a Trojan. Richard noted that Symantec had identified Komodia’s technology as “Trojan.Nurjax” in an advisory issued Dec. 9, 2014.
While the whole Superfish Komodia incident has placed users at risk, there is a silver lining in that risk can be easily detected and mitigated.
“In our research, we found that the software that installs the root CA contains a number of easily searchable attributes that enabled us to match up the certificates we see in the wild with the actual software,” Richard stated. “Facebook is actively working with our antivirus partners to find and remove instances of malware we detect when people visit our service.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.