Virtual Event Now Live: Zero Trust Strategies Summit! - Login for Access
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Superfish SSL Interception Library Found in Several Applications: Researchers

The controversial SSL interception library used by the Superfish software installed recently on Lenovo laptops can be found in at least a dozen other applications, researchers have determined.

The controversial SSL interception library used by the Superfish software installed recently on Lenovo laptops can be found in at least a dozen other applications, researchers have determined.

Lenovo came into the spotlight last week after numerous individuals who acquired new laptops started complaining about ad injections made by a browser add-on from Superfish. It later turned out that the application used a proxy and a self-signed root certificate to intercept HTTPS connections and inject the ads.

Several problems have been identified by security experts. Besides the fact that the adware breaks HTTPS browsing, every one of the Superfish certificates is signed with the same private key, which is protected by the same password, “komodia.”

Komodia is the name of the company that develops Komodia Redirector and Komodia SSL Digestor, the solutions used by the Superfish app to intercept connections and manipulate HTTPS traffic.

According to security researcher Marc Rogers, Komodia’s proxy software doesn’t correctly implement SSL, and it doesn’t validate certificates properly.

These issues can be leveraged by a malicious actor to hijack affected users’ connections. As Errata Security’s Robert Graham has demonstrated, the Superfish certificate can be used to “pwn victims” over a rogue Wi-Fi hotspot by utilizing widely available hardware and software.

Rogers says the problematic Komodia library can be found in several products, including parental control software from Komodia and Qustodio, Kurupira Webfilter, Staffcop, Easy hide IP Classic, and Lavasoft Ad-aware Web Companion.

Researchers at Facebook also reported identifying more than a dozen applications using the library. The list of certificate issuers found by the social media company includes CartCrunch Israel LTD, WiredTools LTD, Say Media Group LTD, Over the Rainbow Tech, System Alerts, ArcadeGiant, Objectify Media Inc, Catalytix Web Services, and OptimizerMonitor.

Advertisement. Scroll to continue reading.

According to Facebook, these certificates have been seen on more than 1,000 systems on the Internet. The company noted that only Windows appears to be impacted because the library is platform specific.

“What all of these applications have in common is that they make people less secure through their use of an easily obtained root CA, they provide little information about the risks of the technology, and in some cases they are difficult to remove,” Facebook threats researcher Matt Richard wrote in a blog post. “Furthermore, it is likely that these intercepting SSL proxies won’t keep up with the HTTPS features in browsers (e.g., certificate pinning and forward secrecy), meaning they could potentially expose private data to network attackers. Some of these deficiencies can be detected by anti-virus products as malware or adware, though from our research, detection successes are sporadic.”

Richard has pointed out that even a piece of malware, detected by Symantec as Trojan.Nurjax, uses the Komodia products.

Komodia representatives told SecurityWeek that the company will release an official statement on the matter within 24 hours. The company’s website is currently offline due to a distributed denial-of-service (DDoS) attack.

Lenovo has apologized to customers for the incident and provided them with instructions and software for removing the Superfish app and the problematic certificate. The company’s representatives believe that the risks identified by researchers are “theoretical.” However, Graham’s experiment is meant to demonstrate that an exploit is practical.

Superfish has also attempted to downplay the seriousness of the incident. The firm says its software does not present a security risk, and noted that the “vulnerability was introduced unintentionally by a 3rd party.”

A class action lawsuit has already been filed against Lenovo and Superfish.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Threat intelligence firm Intel 471 has appointed Mark Huebeler as its COO and CFO.

Omkhar Arasaratnam, former GM at OpenSSF, is LinkedIn's first Distinguised Security Engineer

Defense contractor Nightwing has appointed Tricia Fitzmaurice as Chief Growth Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.