The controversial SSL interception library used by the Superfish software installed recently on Lenovo laptops can be found in at least a dozen other applications, researchers have determined.
Lenovo came into the spotlight last week after numerous individuals who acquired new laptops started complaining about ad injections made by a browser add-on from Superfish. It later turned out that the application used a proxy and a self-signed root certificate to intercept HTTPS connections and inject the ads.
Several problems have been identified by security experts. Besides the fact that the adware breaks HTTPS browsing, every one of the Superfish certificates is signed with the same private key, which is protected by the same password, “komodia.”
Komodia is the name of the company that develops Komodia Redirector and Komodia SSL Digestor, the solutions used by the Superfish app to intercept connections and manipulate HTTPS traffic.
According to security researcher Marc Rogers, Komodia’s proxy software doesn’t correctly implement SSL, and it doesn’t validate certificates properly.
These issues can be leveraged by a malicious actor to hijack affected users’ connections. As Errata Security’s Robert Graham has demonstrated, the Superfish certificate can be used to “pwn victims” over a rogue Wi-Fi hotspot by utilizing widely available hardware and software.
Rogers says the problematic Komodia library can be found in several products, including parental control software from Komodia and Qustodio, Kurupira Webfilter, Staffcop, Easy hide IP Classic, and Lavasoft Ad-aware Web Companion.
Researchers at Facebook also reported identifying more than a dozen applications using the library. The list of certificate issuers found by the social media company includes CartCrunch Israel LTD, WiredTools LTD, Say Media Group LTD, Over the Rainbow Tech, System Alerts, ArcadeGiant, Objectify Media Inc, Catalytix Web Services, and OptimizerMonitor.
According to Facebook, these certificates have been seen on more than 1,000 systems on the Internet. The company noted that only Windows appears to be impacted because the library is platform specific.
“What all of these applications have in common is that they make people less secure through their use of an easily obtained root CA, they provide little information about the risks of the technology, and in some cases they are difficult to remove,” Facebook threats researcher Matt Richard wrote in a blog post. “Furthermore, it is likely that these intercepting SSL proxies won't keep up with the HTTPS features in browsers (e.g., certificate pinning and forward secrecy), meaning they could potentially expose private data to network attackers. Some of these deficiencies can be detected by anti-virus products as malware or adware, though from our research, detection successes are sporadic.”
Richard has pointed out that even a piece of malware, detected by Symantec as Trojan.Nurjax, uses the Komodia products.
Komodia representatives told SecurityWeek that the company will release an official statement on the matter within 24 hours. The company’s website is currently offline due to a distributed denial-of-service (DDoS) attack.
Lenovo has apologized to customers for the incident and provided them with instructions and software for removing the Superfish app and the problematic certificate. The company’s representatives believe that the risks identified by researchers are “theoretical.” However, Graham’s experiment is meant to demonstrate that an exploit is practical.
Superfish has also attempted to downplay the seriousness of the incident. The firm says its software does not present a security risk, and noted that the “vulnerability was introduced unintentionally by a 3rd party.”
A class action lawsuit has already been filed against Lenovo and Superfish.