Welcome to DU!
The truly grassroots left-of-center political community where regular people, not algorithms, drive the discussions and set the standards.
Join the community:
Create a free account
Support DU (and get rid of ads!):
Become a Star Member
Latest Breaking News
General Discussion
The DU Lounge
All Forums
Issue Forums
Culture Forums
Alliance Forums
Region Forums
Support Forums
Help & Search
Superfish vulnerability traced to other apps, too...
http://www.pcworld.com/article/2887253/superfish-vulnerability-traced-to-other-apps-too.html#tk.nl_todayBut it gets worse. It turns out Superfish relied on a third-party component for the HTTPS interception functionality: an SDK (software development kit) called the SSL Decoder/Digestor made by an Israeli company called Komodia.
Researchers have now found that the same SDK is integrated into other software programs, including parental control software from Komodia itself and other companies. And as expected, those programs intercept HTTPS traffic in the same way, using a root certificate whose private key can easily be extracted from their memory or code...
U.S. government gets involved
The CERT Coordination Center (CERT/CC) at Carnegie Mellon University, which is sponsored by the U.S. Department of Homeland Security, has issued a security advisory about the issue.
http://www.kb.cert.org/vuls/id/529496
In multiple applications implementing Komodia's libraries, such as Superfish Visual Discovery and KeepMyFamilySecure, the root CA certificates have been found to use trivially obtainable, publicly disclosed, hard-coded private keys. Note that these keys appear to be distinct per application, though the same methods have proven successful in revealing the private keys in each instance.
In addition to sharing root CA certificates across installation, it has been reported that the SSL validation that Komodia itself performs is broken. This vulnerability can allow an attacker to universally attack all installations of Komodia Redirector, rather than needing to focus on a single application / certificate.
Related: Lenovo caught installing adware on new computers
4 replies
= new reply since forum marked as read
= new reply since forum marked as read
Is it just spin, or is the CEO really this fu@#ing stupid? 
http://arstechnica.com/security/2015/02/superfish-doubles-down-says-https-busting-adware-poses-no-security-risk/
http://www.csoonline.com/article/2887235/application-security/spin-and-fud-superfish-ceo-says-software-presents-no-security-risk.html
http://arstechnica.com/security/2015/02/superfish-doubles-down-says-https-busting-adware-poses-no-security-risk/
Following security professionals' near-unanimous condemnation of adware that hijacked encrypted Web connections on Lenovo computers, the CEO of the company that developed the finished product is doubling down on his insistence that it poses no threat to end users.
...
Update: It turns out the vulnerability is easier to exploit than previously known. As this post was being prepared, a security researcher published new findings showing that a malicious hacker doesn't need the easily-extracted Superfish private key to perform a man-in-the-middle attack on PCs that have the Komodia proxy installed. That's because the proxy will re-sign invalid certs and make them appear valid to the browser.
Despite all of this, Pinhas's statement doesn't address the criticism. Instead, it attacks an argument that no one has made—that Superfish somehow shares personal information without users' permission.
...
Update: It turns out the vulnerability is easier to exploit than previously known. As this post was being prepared, a security researcher published new findings showing that a malicious hacker doesn't need the easily-extracted Superfish private key to perform a man-in-the-middle attack on PCs that have the Komodia proxy installed. That's because the proxy will re-sign invalid certs and make them appear valid to the browser.
Despite all of this, Pinhas's statement doesn't address the criticism. Instead, it attacks an argument that no one has made—that Superfish somehow shares personal information without users' permission.
http://www.csoonline.com/article/2887235/application-security/spin-and-fud-superfish-ceo-says-software-presents-no-security-risk.html
If you uninstall Visual Discovery, the Superfish certificate remains on the system with the exact level of trust it had while the software was operational. Its function and existence on a system can lead to a Man-in-the-Middle attack, one that wouldn't be too difficult for an attacker to leverage based on the design of the software and its security protocols.
All an attacker would need to do is sign a certificate using the Superfish private key, which normally would cause a problem, as the attacker would first need both the software's public key, as well as the private key and its password.
However, Visual Discovery was so poorly implemented and deployed, that researchers were able to find and crack the Superfish private key within hours. As it turns out, the password for the private key is 'komodia' – the name of the company that created the tools needed to enable Superfish to Man-in-the-Middle connections.
Worse, Superfish uses the same key on each installation, meaning millions of Lenovo customers could be at risk.
All an attacker would need to do is sign a certificate using the Superfish private key, which normally would cause a problem, as the attacker would first need both the software's public key, as well as the private key and its password.
However, Visual Discovery was so poorly implemented and deployed, that researchers were able to find and crack the Superfish private key within hours. As it turns out, the password for the private key is 'komodia' – the name of the company that created the tools needed to enable Superfish to Man-in-the-Middle connections.
Worse, Superfish uses the same key on each installation, meaning millions of Lenovo customers could be at risk.
