Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Superfish SSL Interception Library Found in Several Applications: Researchers

The controversial SSL interception library used by the Superfish software installed recently on Lenovo laptops can be found in at least a dozen other applications, researchers have determined.

The controversial SSL interception library used by the Superfish software installed recently on Lenovo laptops can be found in at least a dozen other applications, researchers have determined.

Lenovo came into the spotlight last week after numerous individuals who acquired new laptops started complaining about ad injections made by a browser add-on from Superfish. It later turned out that the application used a proxy and a self-signed root certificate to intercept HTTPS connections and inject the ads.

Several problems have been identified by security experts. Besides the fact that the adware breaks HTTPS browsing, every one of the Superfish certificates is signed with the same private key, which is protected by the same password, “komodia.”

Komodia is the name of the company that develops Komodia Redirector and Komodia SSL Digestor, the solutions used by the Superfish app to intercept connections and manipulate HTTPS traffic.

According to security researcher Marc Rogers, Komodia’s proxy software doesn’t correctly implement SSL, and it doesn’t validate certificates properly.

These issues can be leveraged by a malicious actor to hijack affected users’ connections. As Errata Security’s Robert Graham has demonstrated, the Superfish certificate can be used to “pwn victims” over a rogue Wi-Fi hotspot by utilizing widely available hardware and software.

Rogers says the problematic Komodia library can be found in several products, including parental control software from Komodia and Qustodio, Kurupira Webfilter, Staffcop, Easy hide IP Classic, and Lavasoft Ad-aware Web Companion.

Researchers at Facebook also reported identifying more than a dozen applications using the library. The list of certificate issuers found by the social media company includes CartCrunch Israel LTD, WiredTools LTD, Say Media Group LTD, Over the Rainbow Tech, System Alerts, ArcadeGiant, Objectify Media Inc, Catalytix Web Services, and OptimizerMonitor.

Advertisement. Scroll to continue reading.

According to Facebook, these certificates have been seen on more than 1,000 systems on the Internet. The company noted that only Windows appears to be impacted because the library is platform specific.

“What all of these applications have in common is that they make people less secure through their use of an easily obtained root CA, they provide little information about the risks of the technology, and in some cases they are difficult to remove,” Facebook threats researcher Matt Richard wrote in a blog post. “Furthermore, it is likely that these intercepting SSL proxies won’t keep up with the HTTPS features in browsers (e.g., certificate pinning and forward secrecy), meaning they could potentially expose private data to network attackers. Some of these deficiencies can be detected by anti-virus products as malware or adware, though from our research, detection successes are sporadic.”

Richard has pointed out that even a piece of malware, detected by Symantec as Trojan.Nurjax, uses the Komodia products.

Komodia representatives told SecurityWeek that the company will release an official statement on the matter within 24 hours. The company’s website is currently offline due to a distributed denial-of-service (DDoS) attack.

Lenovo has apologized to customers for the incident and provided them with instructions and software for removing the Superfish app and the problematic certificate. The company’s representatives believe that the risks identified by researchers are “theoretical.” However, Graham’s experiment is meant to demonstrate that an exploit is practical.

Superfish has also attempted to downplay the seriousness of the incident. The firm says its software does not present a security risk, and noted that the “vulnerability was introduced unintentionally by a 3rd party.”

A class action lawsuit has already been filed against Lenovo and Superfish.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.