Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Lenovo Now Acknowledges Superfish Adware Risks

    By
    Sean Michael Kerner
    -
    February 23, 2015
    Share
    Facebook
    Twitter
    Linkedin
      Superfish adware risks

      eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

      Lenovo is now changing its stance on the Superfish adware that was bundled on some of its PCs between October and December 2014. Initially, Lenovo claimed there was no security risk from Superfish, but as it turns out, the risk is real and it extends beyond just Lenovo.

      On Feb. 19, Lenovo published a statement that noted it had thoroughly investigated Superfish and did not find any evidence to substantiate security concerns. On Feb. 20, Lenovo changed its official position on Superfish and updated its statement admitting that, in fact, there are security risks to the adware technology that it bundled with its PCs.

      Lenovo has also issued a security advisory and labeled the Superfish adware as a vulnerability that has the potential impact of being a man-in-the-middle (MiTM) attack.

      “Vulnerabilities have been identified with the software, which include installation of a self-signed root certificate in the local trusted CA [certificate authority] store,” Lenovo’s advisory states.

      By having a self-signed root certificate, the Superfish adware could have potentially been able to see a user’s encrypted traffic, exposing the user to information disclosure risks. While Lenovo as of Feb. 19 did, in fact, have a basic removal tool in place for Superfish, the company did not have a tool that would remove the root CA. As of Feb. 20, Lenovo now has an automated tool that will remove all the Superfish components. Lenovo has also provided instructions for those wanting to install Superfish and its associated root CA manually.

      Lenovo isn’t the only organization that is sounding the alarm on Superfish and its malware potential. The United States Computer Emergency Readiness Team (US-CERT) issued an alert on Feb. 20 that also reveals that there is risk that goes beyond just Lenovo.

      “The underlying SSL [Secure Sockets Layer] decryption library from Komodia has been found to be present on other applications, including KeepMyFamilySecure,” US-CERT warned in its alert.

      Komodia is the firm behind the Superfish adware technology that Lenovo deployed. Komodia’s SSL Digestor technology, in particular, is what has caused security concerns. US-CERT has also issued a broader vulnerability note about SSL Digestor and its risks.

      “An attacker can spoof HTTPS sites and intercept HTTPS traffic without triggering browser certificate warnings in affected systems,” US-CERT warns in its vulnerability note on the Komodia technology.

      The only solution that US-CERT offers for dealing with the technology’s risk is to uninstall any software that included the Komodia SSL Digestor. US-CERT’s vulnerability note lists multiple vendors that are impacted by the SSL Digestor, including Atom Security, Lavasoft, Qustodio, Kurupira, Infowise and Websecure.

      The full impact of the Komodia technology, however, is likely much wider than what US-CERT has warned about.

      Matt Richard, threats researcher on the Facebook Security Team, wrote a detailed note about Superfish. According to Facebook’s research, more than a dozen software applications use Komodia’s software libraries. Some of applications that Facebook found to be using the Komodia technology included CartCrunch Israel, WiredTools, Say Media Group, Over the Rainbow Tech, System Alerts, ArcadeGiant, Objectify Media, Catalytix Web Services and OptimizerMonitor.

      “Some of these applications appear as games, while others seem to generate pop-ups based on your search behavior or claim to perform a specific function like Superfish’s Visual Search,” Richard wrote. “What all of these applications have in common is that they make people less secure through their use of an easily obtained root CA, they provide little information about the risks of the technology, and in some cases, they are difficult to remove.”

      While Lenovo initially admitted that Superfish was just adware, other vendors had already been labeling technology using the underlying Komodia technology as a Trojan. Richard noted that Symantec had identified Komodia’s technology as “Trojan.Nurjax” in an advisory issued Dec. 9, 2014.

      While the whole Superfish Komodia incident has placed users at risk, there is a silver lining in that risk can be easily detected and mitigated.

      “In our research, we found that the software that installs the root CA contains a number of easily searchable attributes that enabled us to match up the certificates we see in the wild with the actual software,” Richard stated. “Facebook is actively working with our antivirus partners to find and remove instances of malware we detect when people visit our service.”

      Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

      Sean Michael Kerner
      Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×