Come on in and get mucky. The Bayou water is cold but fine. Nothing in here that won’t probably bite you (hard enough to draw blood) or cause weird growths (on your system) if you dip in.
When we last hauled in the Superfish mess, Lenovo had ping-ponged back and forth about it not being a problem, then conceding it was a problem, issuing a removal tool, and now going into apology-mode.
Great. We are making progress.
Only as time goes on and the security folks noodle the bayou, they keep hauling out additional examples of this exploit and the mess grows deeper.
I don’t Twitter but do manually follow InfoSec Taylor Swift (@SwiftOnSecurity) and found this mindful tweet in the stream:
In the 2000s, DRM was the temptation and we got the Sony rootkit. In the 2010s, advertising is the temptation and we got Superfish.
— James Grimmelmann (@grimmelm) February 23, 2015
I think it is a great point of context with all the SuperCookies, mobile-app ID trackers, and the whole Internet of Things (IoT) we now live with daily.
So were are we now with this Superfish story?
This post is excellent (and highly Valca recommended for IT readers of all age levels) to bring everyone up to speed on the dangers of third-party “enhanced” download and installer file bundling.
Even more companies are using the same technique as Superfish and doing HTTPS-Hijacking & HTTPS-validation disabling.
The post goes in ways to check your Trusted Root Certification Authorities store and check around for some HTTPS MITM hijackers that are listed.
Then there are some very good recommendations and reminders for protection against that threat.
Test to see if your browser(s) are vulnerable:
Superfish, Komodia, PrivDog vulnerability test – Filippo.IO
Filippo Valsorda has coded up a page that allows you to visit it with EACH of your installed web-browsers to see if they are vulnerable to the Superfish, Komodia, PrivDog vulnerability. Easy to do and a great place to start assessing your system’s security.
Now for noodling in deeper waters:
- Komodia/Superfish SSL Validation is broken – Filippo Valsorda’s technical post about the issue.
- Make your own Superfish infected VM – Filippo Valsorda’s blog
- Some notes on SuperFish – Errata Security blog – Robert Graham
- Extracting the SuperFish certificate – Errata Security blog – Robert Graham
- Exploiting the Superfish certificate – Errata Security blog – Robert Graham
- Superfish Spyware Also Available for iOS and Android - Zdziarski's Blog of Things by Jonathan Zdziarski
- Adware Privdog worse than Superfish - Hanno's blog
- Lenovo's Superfish spectacle: 'Catastrophic' security failures discovered – ZDNet Zero Day blog
- Lenovo Superfish Adware Vulnerable to HTTPS Spoofing - US-CERT
- Vulnerability Note VU#529496 - Komodia Redirector with SSL Digestor fails to properly validate SSL and installs non-unique root CA certificates and private keys – CERT.ORG
- Superfish not the only app using Komodia's SSL-busting code – Help Net Security blog
- SSL-busting code that threatened Lenovo users found in a dozen more apps - Ars Technica
- Security software found using Superfish-style code, as attacks get simpler - Ars Technica
- Superfish Fallout Raises Privacy Concern Over Parental Control Apps - Malwarebytes Unpacked
- Super Fish-Internals - fail Defender Removal Tools? – Borns IT and Windows Blog (page URL via Google Translate)
- Create an SSL problem: Comodo provides Adware Privdog from – Borns IT and Windows Blog (page URL via Google Translate)
- PrivDog torpedoed web security in the name of privacy – H heise Security (page URL via Google Translate)
- Bitdefender Adware Removal Tool updated to remove Superfish – BetaNews
Feed Me!
I want to highlight these blogs which much of the research and analysis documentation listed here. Some offer RSS feeds and have ongoing posts of themes that may be useful for the for/sec crowd. I’m always on the lookout and want to draw attention to the work behind great technical writers and researchers.
- Zdziarski's Blog of Things - Zdziarski's Blog of Things by Jonathan Zdziarski
- Filippo.io - Filippo Valsorda’s blog
- Hanno's blog – blog by Hanno Böck
- Errata Security – blog by Robert Graham and David Maynor
Constant Vigilance!
--Claus Valca