Friday, February 20, 2015

Superfish Adware Installed on Lenovo Laptops Breaks ALL SSL

Marc Rogers explains Lenovo installs adware on customer laptops and compromises ALL SSL "A pretty shocking thing came to light this evening – Lenovo is installing adware that uses a ‘man-in-the-middle’ attack to break secure connections on affected laptops in order to access sensitive data and inject advertising. As if that wasn’t bad enough they installed a weak certificate into the system in a way that means affected users cannot trust any secure connections they make – TO ANY SITE."

"Lenovo has partnered with a company called Superfish to install advertising software on it’s customer’s laptops. Under normal circumstances this would not be cause for concern. However Superfish’s software has quite a reputation. It is a notorious piece of “adware”, malicious advertising software."

Ars describes it too, Lenovo PCs ship with man-in-the-middle adware that breaks HTTPS connections. "Lenovo is selling computers that come preinstalled with adware that hijacks encrypted Web sessions and may make users vulnerable to HTTPS man-in-the-middle attacks that are trivial for attackers to carry out, security researchers said."

The EFF phrases it well, Lenovo Is Breaking HTTPS Security on its Recent Laptops. "Using a MITM certificate to inject ads was an amateurish design choice by Superfish. Lenovo's decision to ship this software was catastrophically irresponsible and an utter abuse of the trust their customers placed in them."

Here's Lenovo's Original Statement on Superfish but they've since come around, Lenovo CTO says, “We didn’t do enough,” promises to wipe Superfish off PCs. But as Ars points out, "Removal software does nothing to protect vulnerable customers now. If Lenovo is truly sorry, the company should offer affected customers a replacement machine at no cost and ensure all vulnerable machines are removed from the supply chain."

Here's a site you can use to Check if you trust the Superfish CA. And here's How to remove Superfish. Robert Graham describes how he "extracted the certificate from the SuperFish adware and cracked the password ("komodia") that encrypted it."

Matthew Green thinks about possible fixes, How to paint yourself into a corner (Lenovo edition) "I’d like to discuss is some of the options for large-scale automated fixes to this kind of vulnerability. It’s quite possible that Lenovo will do this by themselves — pushing an automated patch to all of their customers to remove the product — but I'm not holding my breath. If Lenovo does not do this, there are roughly three options." None of which are particularly good.

As Matt Blaze tweeted, "Remember back in 2006 when everyone laughed at the State Department for banning Lenovo computers? They sure showed us." Details on that from The Verge two years ago, Lenovo reportedly banned by MI6, CIA, and other spy agencies over fear of Chinese hacking.

Update: Ars reports that Windows Defender now removes Superfish malware… if you’re lucky. It removes the software AND the bad certificate but it doesn't fix contaminated browsers like Firefox. Also it seems Defenders turns itself off if you installed other anti-malware. I don't know anything about it but I assume you can run it manually somehow.

No comments: