Lenovo admits Superfish is a security vulnerability

February 23, 2015 // 12:01 p.m.

Tags: #flaw #insecurity #komodia #lenovo #privacy #security #ssl #superfish #tls #vulnerability

Chinese device builder Lenovo has confessed that the Superfish advertising software it bundled on selected consumer laptops does indeed introduce a gaping security hole, days after claiming it had found no evidence of such a flaw.

Lenovo hit the headlines for all the wrong reasons last week when it emerged that the company had bundled Superfish with its consumer-grade laptops in order to inject advertising into web pages and generate additional revenue from its consumers. Such a move is distasteful enough, but a bigger concern came from Superfish's use of Komodia man-in-the-middle technology to silently decrypt and modify even SSL/TLS-protected communications. Komodia's software development kit achieved this by installing a fake certificate authority (CA) into the operating system and all browsers, with a copy of the private key included embedded within a DLL. Once it was discovered that the password for the key was 'komodia,' attackers could create any certificate and have it blindly trusted by the operating system for everything from web browsing to software or driver installation.

The discovery of the key and its poor password led to merry times on social networking services as researchers and security enthusiasts created fake yet totally-trusted certificates for everything from Microsoft's Windows Update servers to Lenovo's own website. Lenovo, amazingly, issued a statement in which it downplayed the issue, claiming that Superfish was not installed on its laptops except during a short window between October and December [2014],' that it had 'completely disabled server-side interactions (since January),' and most incredibly that the company had 'thoroughly investigated this technology and [did] not find any evidence to substantiate security concerns.'

Realising, perhaps, that claiming ignorance of security concerns while people are actively using the software to fake certificates for its own website, Lenovo has performed an impressive volte-face. 'We ordered Superfish preloads to stop and had server connections shut down in January based on user complaints about the experience,' the company claims in its latest statement on the matter. 'However, we did not know about this potential security vulnerability until yesterday,' the statement continues, seemingly contradicting its earlier claims to have 'thoroughly investigated' the issue. 'Now we are focused on fixing it.'

As a result, the company has released an automated tool designed to clean Superfish and its dodgy certificates from all affected systems. For those who think trusting yet more code from a company which has shown a callous disregard for its customers' privacy and security would be crazy, Lenovo has also published the source code of the tool for researchers to verify that it does as is claimed. Manual removal instructions for the operating system and browsers including Internet Explorer, Chrome, Opera, Firefox and Safari are also provided.

The release comes as Microsoft officially rated Superfish and its Komodia SSL-hijacker as potentially unwanted software, adding detection of the code and certificates to its Windows Defender anti-malware package for automatic removal. The update is released as researchers publish details of yet more software which uses Komodia's utility, published by Facebook late last week. To add to this week's woes, a similar security vulnerability was discovered in the supposedly privacy-enhancing PrivDog software bundled by certificate vendor and security giant Comodo with selected applications and created by its chief executive officer - a flaw which Johannes 'Hanno' Böck claims makes any browser on the system implicitly trust all certificates, even self-signed and those with invalid signatures or untrusted certificate authorities in the chain.

Despite Lenovo's admission that Superfish represents a real security concern, the software vendor itself denies any such issue. 'Despite the false and misleading statements made by some media commentators and bloggers, the Superfish software does not present a security risk,' the company has claimed in a statement to press. 'Unfortunately, in this situation a vulnerability was introduced unintentionally by a 3rd party,' the statement continues - Superfish seemingly looking to pass the blame off on Komodia, the company which produced the SSL-breaking SDK Superfish chose to use in its software. 'Both Lenovo and Superfish did extensive testing of the solution but this issue wasn’t identified before some laptops shipped.'
Discuss this in the forums

QUICK COMMENT

SUBSCRIBE TO OUR NEWSLETTER

WEEK IN REVIEW

TOP STORIES

SUGGESTED FOR YOU