Superfish security flaw also exists in other apps, non-Lenovo systems

A third-party, man-in-the-middle proxy used by Superfish is also used in other apps

On Thursday security researchers warned that an adware program called Superfish, which was preloaded on some Lenovo consumer laptops, opened computers to attack. However, it seems that the same poorly designed and flawed traffic interception mechanism used by Superfish is also used in other software programs.

Superfish uses a man-in-the-middle proxy component to interfere with encrypted HTTPS connections, undermining the trust between users and websites. It does this by installing its own root certificate in Windows and uses that certificate to re-sign SSL certificates presented by legitimate websites.

Security researchers found two major issues with this implementation. First, the software used the same root certificate on all systems and second, the private key corresponding to that certificate was embedded in the program and was easy to extract.

With the key now public, malicious hackers can launch man-in-the-middle attacks via public Wi-Fi networks or compromised routers against users who have Superfish installed on their systems.

But it gets worse. It turns out Superfish relied on a third-party component for the HTTPS interception functionality: an SDK (software development kit) called the SSL Decoder/Digestor made by an Israeli company called Komodia.

Researchers have now found that the same SDK is integrated into other software programs, including parental control software from Komodia itself and other companies. And as expected, those programs intercept HTTPS traffic in the same way, using a root certificate whose private key can easily be extracted from their memory or code.

Some users have started compiling lists with the affected software programs, their certificates and their private keys. Those affected products include Keep My Family Secure, Qustodio and Kurupira WebFilter.

"I think that at this point it is safe to assume that any SSL interception product sold by Komodia or based on the Komodia SDK is going to be using the same method," said Marc Rogers, principal security researcher at CloudFlare, in a post on his personal blog. "It means that anyone who has come into contact with a Komodia product, or who has had some sort of Parental Control software installed on their computer should probably check to see if they are affected."

The CERT Coordination Center (CERT/CC) at Carnegie Mellon University, which is sponsored by the U.S. Department of Homeland Security, has issued a security advisory about the issue.

The main page on the Komodia website was replaced with a message that reads: "Site is offline due to DDOS with the recent media attention."

Security researcher named Filippo Valsorda created a site where users can check if they're affected by the Superfish issue, especially since the Superfish software was distributed in multiple ways, not just through Lenovo laptops. The site also contains instructions on how to remove the rogue Superfish root certificate from Windows and Firefox.

The same removal instructions should be applied to all certificates installed by products that use the Komodia SDK, but identifying them is not easy and it's unlikely that all affected products have been found. Users shouldn't remove any of the legitimate certificates that are in the Windows or Firefox certificate stores, because that could generate certificate errors on legitimate websites.

It's not clear if any way will be found to fix this issue for all affected users that lets them avoid manually removing certificates. As Matthew Green, a cryptography professor at Johns Hopkins University, explains in a blog post, browser vendors can't simply blacklist the certificates in their respective browsers because the affected software would continue to re-sign legitimate certificates and this would generate certificate errors that would prevent users from connecting to websites.

Microsoft is also unlikely to push an update that removes legitimate programs from computers that were willingly installed by users, such as parental control applications, because that would set a dangerous precedent.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags Komodiaonline safetysecurityencryptionLenovoSuperfishExploits / vulnerabilitiespki

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest News Articles


GGG Evaluation Team

Kathy Cassidy


First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni


For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell


The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi


The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott


My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?