BT

Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ

Topics

Choose your language

InfoQ Homepage News Lenovo Responds to Superfish Vulnerability

Lenovo Responds to Superfish Vulnerability

This item in japanese

Bookmarks

Lenovo has responded on the inclusion of the Superfish software in its hardware with tools to remove the software. After initially denying that there was any security implications, the original status was updated to remove any such mention. Removing the software, deleting the root certificate, and changing any passwords that Lenovo laptop users may have used is highly recommended.

The problem came from the inclusion of Superfish in Lenovo machines (listed on the official post) which installs a fake certificate authority into the operating system's list of known certificate roots. A certificate authority (or CA for short) is a self-signed certificate that is implicitly trusted by the browser. When validating against a remote site over SSL, a chain of trust is established from the SSL certificate reported by the server to one (or more) intermediary certificates, which are ultimately signed by a known good root certificate. These are typically installed by default into an operating system or browser, with known certificates from Verisign, Thwate, Semantic et al.

Since root certificates can be used to sign any domain, it's possible to create a fake root certificate with a known key that allows the creation of subsequent certificates for individual sites. Provided that they are signed by a trusted root, there is no difference between a valid certificate and a self-signed invalid one.

Superfish is designed to allow remote management to impersonate certain websites by creating a fake certificate that appears to be valid by the browser. It can be used in a number of pieces of software, from corporate firewalls to parental monitoring. The impersonation takes place to allow a remote computer to masquerade as the real one, whilst hiding any warnings or errors that may be shown by the browsers normal checking mechanisms. For corporate environments such termination is often done at a proxy, whilst for parental filtering it can be done either by running a local proxy on the machine, or by forwarding network packets at a low level through some filtering/interception mechanism.

Unfortunately this means that any access to a site over https may not have been secure on systems that have Superfish installed and enabled. Worse, since logins are typically performed over https, any network communication may have been intercepted and stored, with the result that passwords may need to be changed for systems that don't have two-factor authentication. (Google has some advice on keeping secure).

Worse still is the fact that the fake root certificate installed by Superfish has been cracked with a trivial password - komodia - which means it's trivial for anyone to generate a certificate claiming to be a site that they don't own, and have no warnings generated by the browser. Laptops that connect to arbitrary WiFi networks are particularly vulnerable, since it's trivial to provide fake access points with the same connections.

As well as uninstalling the Superfish software, it is also necessary to check that any browsers used don't still have the infected root certificate installed. Sites such as https://filippo.io/Badfish/ and https://www.canibesuperphished.com provide means to check whether or not the connection is vulnerable - if a certificate warning is shown then you are not vulnerable, otherwise you should consult the removal guides by running certmgr.msc as an Administrator, and deleting any certificate claiming to be signed by Superfish, Inc.

Finally, don't forget that passwords may have been compromised if using a system that has Superfish or its root certificate installed, so passwords should be changed as a matter of course.

Why Lenovo added the software is unknown, but advertisers have been known to bundle adware into products after having been paid to do so. The adware can do a number of things, such as changing the default search browser, or replacing adverts from an existing webpage with different ones (in some cases, serving out advertising material from an https page via http, thereby introducing further security vulnerabilities). Simon Phipps, writing for ZDNet in January 2013, pointed out that Oracle were shipping Java with the Ask toolbar, which performed the same kind of in-browser changes to allow adverts to be rewritten and search queries to be redistributed. Even if Oracle was giving Java away for free, it was still making money through the product sponsoring.

With the global media response now focusing on Lenovo (BBC, WSJ, FT) it's likely that installers will consider again whether the value gained outweighs the negative reputational damage caused by being associated with adware.

Update: Microsoft has added the Superfish software and certificate to its Windows Defender anti-virus software version 1.193.444.0 according to Italian CloudFlare Security Team member @FiloSottile. This removes the certificate from the system registry, but other browsers (such as Firefox) may have the certificate still installed. In addition, products that are based on Superfish/komodia will be disabled with this update.

Rate this Article

Adoption
Style

BT