Lenovo has promised not to include Superfish with products in the future, but how dangerous is the adware to consumers?
According to security researchers, the problem is worse than we thought.
Last week, reports surfaced which claimed that Lenovo Notebooks have been issued to consumers containing a preloaded security flaw. Originally, the Chinese tech giant said the Superfish adware was not a security concern -- however, eventually the company realized and admitted that the software was able to install its own self-signing man-in-the-middle (MITM) proxy service which has the potential to hijack SSL and TLS connections -- a severe, nasty security vulnerability.
On Saturday, Lenovo issued a statement saying the company "did not know about this potential security vulnerability," and admitted it was the company's mistake in allowing the adware to slip the net.
"We recognise that this was our miss, and we will do better in the future. Now we are focused on fixing it," Lenovo said.
Lenovo has now released a removal tool to eradicate the adware from the firm's products, and security companies including McAfee are working to add the software to malware scanners.
According to a Lenovo security advisory, Superfish came preloaded on notebook products shipped between September 2014 and February 2015. The firm has reached out to Superfish to "disable all server activity associated with their product," and promises not to preload this software on products in the future.
But just how serious is Superfish, and how can it harm consumers?
On Friday, the Threat Infrastructure team at Facebook issued an analysis of the adware, saying that while it is not uncommon for PC products to come preloaded with applications, Superfish is different due to its ability to intercept SSL and TLS website connections. Superfish is able to inspect this content, and uses a third-party library from Komodia to "modify the Windows networking stack and install a new root Certificate Authority (CA)," which in turn gave the adware power to impersonate any SSL-enabled website.
"The new root CA undermines the security of web browsers and operating systems, putting people at greater risk," Facebook's team says.
While the official reason for this practice is for Superfish to inspect a user's search queries and make suggestions based on input, Superfish is the veritable stuff of nightmares for the privacy-conscious. As the adware is able to sit in the middle of a connection, Superfish is able to inspect not only search queries, but also peek at emails, banking and social media traffic.
However, another issue is the use of a new root CA, of which the CA is the same across many different computers. By reusing the same certificate and keys, the security team says computers are left vulnerable to MITM attacks on networks such as public Wi-Fi. Phishing campaigns and malicious websites may trick users into handing over sensitive data including banking and website account details.
"Although we are not aware of anyone abusing this certificate in the wild, it's a real risk and would be hard to detect," Facebook's team noted.
Unfortunately, Superfish is not the only company which has been connected to the Komodia library. A number of other services also use the third-party library application, including WiredTools, ArcadeGiant, Catalytix Web Services and Say Media Group.
According to security researcher Filippo Valsorda, who made an online test to extract keys from computers with Superfish installed, Komodia is "horribly broken" and additional security problems posed by the library leads Superfish to be deemed a "catastrophic" piece of adware.
If Komodia comes across an invalid, untrusted or self-signed certificate, even if validation fails, Komodia will still re-sign it -- making the certificate appear trusted -- but change the domain name so a warning comes up in a user's browser.
However, if the library application comes across a server certificate with the X509 alternative name extension -- which includes an alternative field for other domains in which validity can be specified -- the Komodia proxy is able to take a self-signed certificate, sign it with their root but leave alternate names alone, which leads a browser to believe the certificate is valid.
In other words, a hijacker could theoretically intercept a HTTPS connection, present a self-signed certificate and browsers will show users a green, secure lock -- as Komodia will sign it for them. All that has to be done to bypass verification is to place the target domain name in the alternative field.
The result? Any user with Komodia software will accept any certificate that has the domain name in the alternative field -- whether safe or not, and without the need to extract root keys from software, MITM attacks can take place at the same time. Valsorda says:
"It's catastrophic. It's the only way all this mess could have been even worse."
In the aftermath of the Superfish spectacle, a thread on Hacker News asked whether the Privdog adware, shipped with software from Comodo, was also a security risk. The answer? Yes, as Privdog is also able to break HTTPS security by forcing your browser to accept every HTTPS certificate it comes across -- whether signed by a certificate authority or not.