Lenovo Hits 'Kill Switch' on AdwarePreinstalled Superfish Now Targeted for Deletion
In the wake of security researchers warning that Superfish adware poses a danger to users, Lenovo says it is taking steps to remove the adware that it preinstalled on many of its laptops for consumers (see Lenovo Slammed Over Superfish Adware).
See Also: The Global State of Online Digital Trust
Beijing-based Lenovo, the world's largest PC manufacturer, has already released a downloadable tool users can run to remove the Superfish Visual Discovery adware from their laptops - as well as the root certificate installed by the software. Lenovo stopped shipping laptops with Superfish preinstalled earlier this month (see Lenovo Drops Superfish Adware).
But many affected consumers won't know that the adware - which security experts are warning puts users at risk of having their encrypted communications intercepted by third parties - is running on their Windows laptop.
Now, however, Lenovo says it's targeting any Superfish software installed on its laptops with automatic removal. "We are working with McAfee and Microsoft to have the Superfish software and certificate quarantined or removed using their industry-leading tools and technologies," Lenovo spokeswoman Wendy Fung tells Information Security Media Group. "These actions have already started and will automatically fix the vulnerability even for users who are not currently aware of the problem."
Both Microsoft and Trend Micro confirm that their security software now scans for Superfish Visual Discovery - which they respectively classify as a Trojan, and adware - and is set to automatically remove it whenever found.
First Lawsuit Filed
Lenovo, saying it "messed up," has continued to apologize for pre-installing the adware on many of its consumer-focused laptops, including non-ThinkPad models such as the E Series, G Series, U Series, S Series, Y Series, Z Series, as well as Flex, Miix and Yoga.
But that hasn't stopped the first related lawsuit - seeking class-action status - to have reportedly been filed late last week by blogger Jessica Bennett, who claims that the Superfish software - referred to as "spyware" in court documents - damaged her computer. Her suit accuses Lenovo of violating state and federal privacy laws and earning money by monitoring her Web-browsing habits.
Lenovo declined to comment on the lawsuit.
Problem: Root Certificate
Security experts say the Superfish Visual Search tool installs its own root certificate, allowing it to run a man-in-the-middle proxy service on PCs that enables it to decrypt all SSL communications, as well as add advertisements to Web pages even if a user browses a website using HTTPS. The root certificate, however, could be abused by anyone connected to the same local network, such as a WiFi hotspot in a cafÃ©, or by criminals or intelligence agencies who access the system remotely, warns Robert David Graham, head of information security research firm Errata Security.
Last week, Adi Pinhas, CEO of Superfish, told Information Security Media Group that "Superfish is completely transparent in what our software does and at no time were consumers vulnerable - we stand by this today."
While no related attacks have yet been reported in the wild, Graham says in a blog post that related attacks would be easy to execute. Notably, Graham says he was able to crack the Superfish root certificate in just three hours, using a $35 Raspberry Pi computer. With another three hours' work, Graham says he built a practical, working exploit - in the form of a rogue WiFi hotspot - that can eavesdrop on the communications of any device that has the Superfish root certificate installed.
Facebook Sounds Warning
Many devices - not just those manufactured by Lenovo - may now be at risk from related attacks. "Superfish uses a third-party library from a company named Komodia to modify the Windows networking stack and install a new root Certificate Authority, allowing Superfish to impersonate any SSL-enabled site," Matt Richard, a threat researcher on Facebook's security team, says in a blog post.
Other businesses also appear to be using Komodia's software, often including related functionality built into "free" tools. "We've observed more than a dozen other software applications using the Komodia library, and many of these applications appear to be suspicious," Richard says. "Here is a list of the certificate issuers we observed: ArcadeGiant, CartCrunch Israel, Catalytix Web Services, Objectify Media, OptimizerMonitor, Over the Rainbow Tech, Say Media Group, System Alerts, WiredTools."
US-CERT: Komodia Alert
The U.S. Computer Emergency Response Team, which issued an alert over Superfish, has expanded that alert to include the "Komodia Redirector with SSL Digestor" software development kit. US-CERT says that the "self-described 'interception engine'" installs a "non-unique root CA certificates and private keys," thus making "systems broadly vulnerable to HTTPS spoofing." CloudFlare security researcher Filippo Valsorda explains that "an attacker can intercept any HTTPS connection, present a self-signed certificate to the client, and browsers will show a green lock because Komodia will sign it for them."
In other words, would-be attackers could tap the certificate to make targeted systems use a digital certificate that they provide, which could then allow the attacker to remotely monitor all communications sent to or from the device, regardless of whether they were encrypted using SSL.
US-CERT warns that it's found the Komodia root certificate being used in products - including some security tools - from Atom Security, Infoweise, KeepMyFamilySecure, Komodia, Kurupira, Lavasoft, Lenovo, Qustodio and Websecure. It also appears to be used in PrivDog software - developed by Melih Abdulhayoglu, CEO of security software vendor Comodo - and has been bundled with some distributions of Comodo's software.
Lavasoft confirmed in a Feb. 22 statement that its products had used the Komodia root certificate as part of a component in its anti-spyware and anti-virus program designed "to scan and eliminate malicious content/advertising in HTTPS traffic, including content injected by Internet proxies installed on the PC."
Lavasoft says it implemented this functionality - in such products as Ad-Aware Web Companion - using the Komodia SSL Digestor SDK, but says that it didn't collect or analyze any of the encrypted SSL traffic that was decrypted by its software. "All analysis of incoming traffic to eliminate security risks was performed on the end-user's PC." Lavasoft promised to issue an update for all affected products that removes the vulnerable Komodia root certificate by February 23.