Security Researcher: Superfish Could Be Catastrophic

Apparently, Superfish stinks worse than security industry watchers first thought. There was an uproar when the world discovered Lenovo, the worldEUs largest PC maker, has been shipping laptops pre-installed with a virus-like software that puts customers in the line of hacker fire. But uproar may soon be an understatement.

Since June, Lenovo customers have been reporting a program called Superfish, software that automatically displays advertisements in the name of helping consumers find products online. Superfish is designed to intercept all encrypted connections and leaves the door open for NSA-style spies to hack into PCs through man-in-the-middle (MitM) attacks, according to Robert Graham, CEO of security research firm Errata Security.

Lenovo was quick to apologize and release an automated tool that promises to eradicate Superfish adware from PCs. Microsoft has updated Windows Defender to remove the malware, and other security vendors have followed suit but that may not solve the problem for users who donEUt know they are infected.

The Only Thing Worse . . .

On Friday, Facebook's Threat Infrastructure team issued an analysis of the adware, which concluded that EUthe new root CA (certificate authority) undermines the security of Web browsers and operating systems, putting people at risk." Now security researcher Filippo Valsorda is calling Superfish adware EUcatastrophic," saying that's EUthe only way all this mess could have been worse.EU

Why? Because the Superfish proxy, which uses a Komodia content inspection engine, can be made to allow self-signed certificates without warnings. That opens the door to man-in-the middle attacks.

EUWhat we all realized in horror is that the root private key is the same on all machines, so anyone can take that and sign fake certificates to use in MitM attacks,EU Valsorda wrote in a blog post. EUKomodia should be punished for jeopardizing the users, like probably all the companies that didn't do due...

Comments are closed.