Superfish security flaw also exists in other apps, non-Lenovo systems

A third-party, man-in-the-middle proxy used by Superfish is also used in other apps

On Thursday security researchers warned that an adware program called Superfish, which was preloaded on some Lenovo consumer laptops, opened computers to attack. However, it seems that the same poorly designed and flawed traffic interception mechanism used by Superfish is also used in other software programs.

Superfish uses a man-in-the-middle proxy component to interfere with encrypted HTTPS connections, undermining the trust between users and websites. It does this by installing its own root certificate in Windows and uses that certificate to re-sign SSL certificates presented by legitimate websites.

Security researchers found two major issues with this implementation. First, the software used the same root certificate on all systems and second, the private key corresponding to that certificate was embedded in the program and was easy to extract.

With the key now public, malicious hackers can launch man-in-the-middle attacks via public Wi-Fi networks or compromised routers against users who have Superfish installed on their systems.

But it gets worse. It turns out Superfish relied on a third-party component for the HTTPS interception functionality: an SDK (software development kit) called the SSL Decoder/Digestor made by an Israeli company called Komodia.

Researchers have now found that the same SDK is integrated into other software programs, including parental control software from Komodia itself and other companies. And as expected, those programs intercept HTTPS traffic in the same way, using a root certificate whose private key can easily be extracted from their memory or code.

Some users have started compiling lists with the affected software programs, their certificates and their private keys. Those affected products include Keep My Family Secure, Qustodio and Kurupira WebFilter.

"I think that at this point it is safe to assume that any SSL interception product sold by Komodia or based on the Komodia SDK is going to be using the same method," said Marc Rogers, principal security researcher at CloudFlare, in a post on his personal blog. "It means that anyone who has come into contact with a Komodia product, or who has had some sort of Parental Control software installed on their computer should probably check to see if they are affected."

The CERT Coordination Center (CERT/CC) at Carnegie Mellon University, which is sponsored by the U.S. Department of Homeland Security, has issued a security advisory about the issue.

The main page on the Komodia website was replaced with a message that reads: "Site is offline due to DDOS with the recent media attention."

Security researcher named Filippo Valsorda created a site where users can check if they're affected by the Superfish issue, especially since the Superfish software was distributed in multiple ways, not just through Lenovo laptops. The site also contains instructions on how to remove the rogue Superfish root certificate from Windows and Firefox.

The same removal instructions should be applied to all certificates installed by products that use the Komodia SDK, but identifying them is not easy and it's unlikely that all affected products have been found. Users shouldn't remove any of the legitimate certificates that are in the Windows or Firefox certificate stores, because that could generate certificate errors on legitimate websites.

It's not clear if any way will be found to fix this issue for all affected users that lets them avoid manually removing certificates. As Matthew Green, a cryptography professor at Johns Hopkins University, explains in a blog post, browser vendors can't simply blacklist the certificates in their respective browsers because the affected software would continue to re-sign legitimate certificates and this would generate certificate errors that would prevent users from connecting to websites.

Microsoft is also unlikely to push an update that removes legitimate programs from computers that were willingly installed by users, such as parental control applications, because that would set a dangerous precedent.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags Komodiaonline safetysecurityencryptionLenovoSuperfishExploits / vulnerabilitiespki

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?