back to article Lenovo to customers: We only just found out about this Superfish vuln – remove it NOW

A bruised Lenovo has finally released a removal tool for the Superfish vuln that hijacks web browsers to inject ads into pages. It comes after the Chinese PC maker spent the past few days attempting to make the bad news about the badware go away, with the claim that it had "stopped preloads [of the Superfish software] …

  1. Big John Silver badge

    Orange Alert!

    "We learned about the potential threat yesterday and since then we have been working with Lenovo and Microsoft to create an industry patch to resolve the threat."

    Which threat? The security threat, or the threat to their bottom line?

    1. Mad Chaz

      Re: Orange Alert!

      "Which threat? The security threat, or the threat to their bottom line?"

      I think it's the threat to the PR director's job that got them moving.

      1. JLV Silver badge

        Re: Orange Alert!

        Upvoted you, but you got that slightly wrong. The PR dudette is gonna be very very busy repairing the mess. Not the time to fire her while there is such a big mess that she had nothing to do with.

        The threat is probably to whatever C-level idiot gave the green flag to essentially hacking users' net connections in order to serve up ads. Which is reprehensible enough on its own. And incidentally doing so in a high insecure fashion.

        Not sure whose department this fiasco would be initiated under. I guess whatever department is traditionally tasked with inflicting bloatware onto customers. This is going to be an expensive mistake for likely little gain.

        MS should take note as well. This is not their fault, true, but they also provide no means for users to do a clean-slate, non-manufacturer bloat, install of Windows. By that I mean provide essentially the same disks/downloads as if you walked into a store and bought Windows off the shelf. Not their fault, but it leaves you with the same question: can you trust your brand-new PC? No, not entirely.

        We should get a valid, go-to-MS-when-needed, OEM license for Windows, not just some bloated manufacturer install. I for one have no idea what happens if I re-format my Asus laptop. I assume I can re-install Windows somehow from their recovery partition, but I won't know that unless I try it. I know how to rebuild with a Windows install disk and I would much prefer to be in that position with my Asus.

        So people rightly worried at this could either pay the Windows tax twice to get a clean disk, buy a Mac or use Linux. Letting aside that Apple may or may not do this Lenovo-style crap, which I doubt, but at least you can get clean-install-capable OS images from them.

        Lenovo really sh*t in their own nest, as well as the PC ecosystem in general on this one.

        1. jason 7

          Re: Orange Alert!

          If you use the recovery partition then 99 times out 100 you get all the bloatware re-installed.

          Nothing like having a laptop freshly installed with mouldy 3+ year old installs of Adobe Acrobat/Flash/Java/Skype/Wild Tangent Games/Oberon Media/OoVoo/Ebay links/Cyberlink DVD player/McAfee/Nero Express/Norton Backup/Power2Go/Bing Bar/Google Tool Bar etc. etc.

          Mmmm smooth!

          1. Anonymous Coward
            Anonymous Coward

            Re: Orange Alert!

            LOL, good one, at least we can get a laugh about this very pathetic story. Just like when Microsoft told me they can't send me a recovery media of windows 8.1 because I've bought windows 8 and 8.1 is an upgrade, not an update. My kids are already using Linux , windows 8 is too complicated to re-install.

            It's just too bad that it's so complicated to find something not made in China anymore...

            1. Steve78

              Re: Orange Alert!

              You can download the Windows 8.1 directly from Microsoft.

              http://windows.microsoft.com/en-GB/windows-8/create-reset-refresh-media

        2. regadpellagru

          Re: Orange Alert!

          "MS should take note as well. This is not their fault, true, but they also provide no means for users to do a clean-slate, non-manufacturer bloat, install of Windows. By that I mean provide essentially the same disks/downloads as if you walked into a store and bought Windows off the shelf. Not their fault, but it leaves you with the same question: can you trust your brand-new PC? No, not entirely.

          We should get a valid, go-to-MS-when-needed, OEM license for Windows, not just some bloated manufacturer install. I for one have no idea what happens if I re-format my Asus laptop. I assume I can re-install Windows somehow from their recovery partition, but I won't know that unless I try it. I know how to rebuild with a Windows install disk and I would much prefer to be in that position with my Asus."

          That's actually a very good point. I've always been very worried of seeing people around me *never* get an MS install disk, and being served the usual "recovery partition" pitch by whatever sales droid.

          Now I know why: the OS sold is not the one from MS, but from the vendor, who definitely has incentives to put crapware in it, unlike MS.

          Creepy.

          1. P. Lee Silver badge

            Re: Orange Alert!

            >MS should take note as well. This is not their fault,

            Oh yes it is MS' fault. They are seeding the market with cheap Windows but trying to preserve the high cost of retail/business Windows by allowing OEMs to devalue OEM-Windows by bundling rubbish into the install.

            They could protect their IP by only allowing HW drivers to be included in an OEM Windows installation. "Helpful additional software" to be provided as an option afterwards.

            MS could also provide clean easily accessible Windows images for DVD & USB installation.

            1. fajensen Silver badge

              Re: Orange Alert!

              And MS could make "Applocker" available, scriptable, and Easy To Use on ALL it's products, even the consumer versions. That would help a great deal to prevent the next infection with Snap.Do - and all other dreck signed by "ReSoft Ltd". Of course nuking the ReSoft site would also work.

            2. Tom 13

              Re: allowing OEMs to devalue OEM-Windows by bundling rubbish

              Whether or not the OEM install devalues the install is entirely up to the OEM.

              Granted in the current incarnation of Windows, it's a bit hard to get the drivers wrong. But that hasn't always been the case. I recall plenty of builds requiring me to hit F4 at just the right point to add a third party driver or the OS install would fail.

              I even recall one particularly odious problem where a new motherboard wouldn't accept a reliable, known working device after we upgraded a MB. Apparently Intel made a change to the ATA channel and it wasn't backward compatible. Spent three days working on that one before our chief tech called the device vendor and found there was a driver problem they weren't planning to fix. For those situations the OEM build is preferable. The device was actually pretty handy. It was a CD jukebox that would let you load 5 CDs and access any one of them. Had to replace it with a SCSI controller and device that cost the client almost as much as they originally paid for the PC. Took a serious loss on that one because we obviously couldn't charge them for 3 days of tech time.

        3. pompurin

          Re: Orange Alert!

          I've bought two Medion Laptops (made famous by Aldi) direct online and they had an excellent way of recovering. They use a secondary partition like most manufacturers do, but they had a list of driver folders from 01 to 13 in the order you were expected to install. Within ten minutes of a fresh install I had all the drivers installed and solved all of the usual issues I have with Windows like Wifi, Blueetooth, SD Card readers, Laptop hotkeys. Not a bit of bloatware in sight. That's nice.

        4. Micha

          Re: Orange Alert!

          You can download Microsoft Windows ISO's for free. Just make sure you have your product key! And that you verify the MS-published checksums to ensure you really did get the MS ISO without any crapware.

          Took seconds to find this link; I'm sure there's ISO's for non-Ultimate versions as well..

          http://answers.microsoft.com/en-us/windows/forum/windows_7-windows_install/where-can-i-download-windows-7-iso-i-have-a/7d964b05-2be9-4800-bc7f-3ca30356fc3d

    2. Fatman Silver badge
      Linux

      Re: Orange Alert!

      NOOOOOOO!!!!!

      It is BROWN STUFF alert (as in the substance hitting the fan).

      This incident only makes it clear that any IT department worth its salt would:

      1) wipe the OEM preload with their own image, or

      2) nuke the goddamn thing from orbit and put Linux on it - a better (IMHO) solution, assuming that one isn't LOCKED into the WindblowZE platform.

      1. Blitterbug
        Facepalm

        Re: WindblowZE

        Seriously? This, still?

    3. Tom 13

      Re: Orange Alert!

      I can definitively say the answer to that question is 'Yes!'

  2. John H Woods Silver badge

    "Unfortunately, in this situation a vulnerability was introduced unintentionally by a third party"

    Errr ... no. That vulnerability is the entire purpose of the software produced by that third party ... and you were paid by that third party for including that software.

    1. Richard 12 Silver badge

      Correction

      Superfish were the party in question.

      Unless they outsourced their entire product, in which case, they are not only evil, but stupid as well.

      1. Doctor Syntax Silver badge

        Re: Correction

        "Superfish were the party in question"

        The quote about a 3rd party seems to have been from a statement by Superfish. It turns out that the SSL interception stuff they used came from Komodia. It looks, then as if the 3rd party they're trying to point the finger at is Komodia. So are they claiming they didn't know the implications of the stuff they bought in from Komodia?

        1. Japhy Ryder

          Re: Correction

          Komodia are very explicit on their website about what their stuff is, what it does and how it does it. To whit:

          "Our advanced SSL hijacker SDK is a brand new technology that allows you to access data that was encrypted using SSL and perform on the fly SSL decryption. The hijacker uses Komodia’s Redirector platform to allow you easy access to the data and the ability to modify, redirect, block, and record the data without triggering the target browser’s certification warning."

          That is right in the middle of the home page. I don't really see how you could miss it unless you wanted to.

          Komodia now say their website has been DDoSed offline following the media attention, but you can see how it used to be on the Internet Archive.

    2. JLV Silver badge

      which begs the question of who else is on Superfish's payroll. Is it just Lenovo? I mean, it would hardly be a good business model for Superfish if they were entirely dependent on Lenovo.

      1. Mark 85 Silver badge

        Valid question.. for which there doesn't seem to be an answer. I've checked the two PC's and one laptop in our household and they are clean (of this beast, at least). None are Lenovos. But not only Superfish, what else is out there that we haven't heard about?

        1. P. Lee Silver badge
          Big Brother

          >who else is on Superfish's payroll

          Cue software name change in 3, 2, 1...

          It also highlights the power of having a root cert installed.

          Sure you can audit the list, but do you really trust all those CA's?

          1. Tom 13

            Re: Sure you can audit the list, but do you really trust all those CA's?

            Snarky answer:

            No. Truth be told, I don't even really trust the ones I have to.

            More truthful answer:

            No. But it's such a PITA keeping track of who is trustworthy and who isn't that I mostly accept the defaults. The good news is the desktop I rolled myself, so minimal exposure there. But it's really hard to roll your own laptop, even if you're in the biz. And cleaning out the crap is nearly impossible.

  3. Michael Thibault

    Two heads are better than one

    Both Lenovo and Superfish owe, big time--at least one apiece. Nobody wearing a red shirt, though. Unless it's silk.

  4. x 7 Silver badge

    1) "It added that it was working with Microsoft and McAfee to help the firm kill or, at least, quarantine the crapware." Well, that will be the first time McAfee removes crapware: most of it McAfee doesn't touch

    2) Assuming its a Windows 8 machine, then using F8 at startup and doing a "system refresh" should give you a clean install - sans crapware and drivers. You should then be able to install those one by one as desired from the on-disk repository

    1. Blitterbug
      Unhappy

      Re: a "system refresh" should give you a clean install - sans crapware

      Mmm... not in my experience, sadly. Plus good luck with F8-ing Win8 while booting. I believe that's disabled by default, which is why I carry around a 16GB Win8 recovery USB I made from my own laptop for dealing with nerfed systems. All the crap always seems to come back, but at least the recovery USB has always worked, on any make and model of Win8 machine.

  5. moiety

    "Unfortunately, in this situation a vulnerability was introduced unintentionally by a third party."

    That's bollocks.

  6. x 7 Silver badge

    Just checked the Superfish website - looks like they are keeping their heads down. Last press release was 11th Feb http://www.home.superfish.com/#!news/c1w2u

    Someone asked who else used Superfish - this gives an idea (http://www.xenia.co.il/Superfish)

    "Superfish sells its search capabilities to several major customers in the eCommerce space; in Q10 Superfish launched its consumer application, a browser add-on that uses visual search technology to help consumers find deals and other visually-similar items instantly while shopping. The product works on almost any product and on hundreds of shopping sites including Amazon.com, Best Buy, eBay, Macy's, and Overstock.com. Current index covers over 60 million products".

    Meanwhile http://trends.builtwith.com/websitelist/SuperFish reckons there are currently "2,881,734 active sites using SuperFish" - you can buy a list of them there if you want

    1. Robert Helpmann?? Silver badge
      Coat

      Not limited in...

      Meanwhile http://trends.builtwith.com/websitelist/SuperFish reckons there are currently "2,881,734 active sites using SuperFish"

      So what you are saying is that their efforts scale well? Mine's the one with the fake cert in the pocket.

  7. x 7 Silver badge

    this forbes article is worth a read

    http://www.forbes.com/sites/thomasbrewster/2015/02/19/superfish-history-of-malware-and-surveillance/

    turns out that the CEO of Superfish has quite a long history in the surveillance industry

    to quote

    "Pinhas, the co-founder, has an interesting history, especially from a privacy perspective. According to his LinkedIn profile, in 1999 he co-founded a company called Vigilant Technology, which “invented digital video recording for the surveillance market”. That company is still thriving today, boasting contracts with a diverse range of big-name clients, including the US military’s White Sands Missile Range, Paradise Casinos in California and Arizona, and a number of Israeli government organisations.

    "Prior to that, former Tel Aviv resident Pinhas worked at Verint, an intelligence company with a tumultuous history, where he carried out “signal processing research” in which he’d recognise and analyse anything going over a telephone line. Verint was founded by members of the elite military intelligence agency Unit 8200. It was featured in a Wired article in 2012, in which it was alleged Verint tapped Verizon’s communications lines and was supposedly working with the National Security Agency in doing so. Just a year later, Edward Snowden would reveal Verizon had let the NSA tap all customers’ communications. One wonders if Pinhas was ever involved in those shady operations. Did that lead to his move to the West Coast?"

    and theres more, which I won't copy for fear of copyright problems

  8. A Ghost
    Holmes

    Another list to add to

    So we can add being disingenous and non-contrite to the list as well. Great.

    This is one company I know where I stand with.

    I'm the kind of person that has 'brand loyalty' if such a person exists. Sure we all go for the best deal and what suits us at the time, but all things being equal if I have had good products that have lasted or products that have broke and been fixed, then I'll go with that.

    I had several Toshiba products for example, starting off with my first ever boy's own BoomBox. Great little (or not so little) thing that was. My romance with Toshiba had begun! Culminating several years later in a fantastic little Tecra laptop. Everything inbetween if I could, I bought Toshiba. But then, let's just say I had a very bad experience with them and a newer laptop that died on me. I was pointed to a shop on Tottenham Court Rd. to get it fixed where they tried to gouge me and tried to withold the hard drive in ransom for an extortionate payment. That didn't work out too well for them. I can't even remember now if they were an official 'repair' shop or something like that for them - I think they were, but don't quote me on that. Suffice to say it did not leverage my immersive experience as a most valued customer, with 'brand loyalty'. I swore I'd never buy Toshiba again. And I haven't. And I won't. When the trust is gone it's gone. For good.

    This was at a time where it was extremely expensive to back your stuff up. Back up writers cost as much as the laptop itself, often more for good ones. Cue iomega. I had three drives fail on me in a row. They just flat out refused to issue a fourth one saying 'that's yer lot - no more!' But, but, but... I spluttered. Needless to say another company I refused to look at again.

    But, looking back with hindsight and having calmed down a bit about it all (you can see I've still not got quite over it ;-)), that was a different age. They were working and trialing and finessing the technology and of course things were bound to go wrong. These things happen.

    And now here we are today, in what should be the Golden Era of Technology. Pretty much all that stuff has now been worked out and failure rates are as low as they are ever likely to be in our lifetimes. Companies know from experience what sort of level of customer support is expected and what they can get away with giving, and on the whole, hardware wise, most of us are happy campers. And they have to go and spoil it all by pissing in our nice shiny new toybox! The bastards.

    People said the early days of the internet/web were like the wild west. But I don't think it's half as bad as it's got now. At least then there was some kind of egalitarian dream. That this kind of technology was going to level the playing field, and for once in the favour of the end user and common man. God, I sound like Hunter S Thompson, eulogizing about high water marks and where if you stood in the right place at the right time, there was a sense that we were WINNING.

    I've run out of steam writing my mediocre comedy sketches with the mythical Carl and Donna. I'm not sure how much more comedy value is left in this now. I was going to post earlier, but I was only going to say what others have said, and I truly feared for my sanity or comprehension of the facts. Another WTF moment to surpass all others, where being data raped is either flat out obfuscated to be something 'good' for you, or flat out denied that it never happened in the first place. Well, ok, it did happen, but the people in charge, those responsible and culpable knew nothing about it.

    When I was a paper boy (I was never a paper boy - I was a lazy little sod - still am) if I had told Mr. Gupta at the corner shop that the reason all his newspapers were not delivered and found in a local skip, was that a big boy had nicked them off me and run away, he might have believed me the once. But again and again and again? How many more times would I have got away with it? But it's one rule for multi national corporations and another for lazy little paperboys.

    I won't be buying Samsung again either, another company I had brand loyalty to. Over. I'm not going to bore you further - if you made it this far you deserve a medal. Btw it you type 'Lenovo' into google, this article is third on the list.

    1. LaeMing Bronze badge
      Thumb Up

      Re: Another list to add to

      Yes, brand loyalty is a two-sided coin: "There is no wrath like that of a zealot betrayed."

      (Not accusing you of zealotry, that is just the way the saying is traditionally worded.)

      - A former indi-dev on Apple's platforms (don't get me started!)

      1. A Ghost

        Re: Another list to add to

        No you're quite right. I was a zealot.

        At least I was zealous about finishing university that year and backing my stuff up. The Toshiba blowing up (there was a class action against them in fact for this particular model, but in the U.S) was bad enough, but the iomega debacle added insult to injury.

        In hindsight, I think it was probably just good old fashioned bitterness and spite more than anything pertaining to some kind of misguided utopian ideal, that drove me on.

  9. Little Mouse

    Quarantine

    We can all do our bit to help "quarantine the crapware - by making sure Lenovo laptops never leave Lenovo warehouses.

  10. bob, mon!

    lenovo and market pressure

    I'll consider replacing my current workstation-grade laptop with a Lenovo - IF they clean up their act, and keep the crapware off and the build quality up. The commercial-grade thinkpads have been sinking, but are still pretty good. And I'll do a fresh OS install anyway.

    Sadly, I don't believe that *any* of the vendors are lily-white in this market. If one of them gets burned enough to clean up their act, that'll have to be good enough when it comes to the next sale.

    1. GregC

      Re: lenovo and market pressure

      I'll offer a vendor that may or may not be lily white, but did almost* everything right when I bought a laptop from them in the middle of last year - PC Specialist.

      No crapware installed? Check. I had options of having antivirus and Office trials installed, but the important thing is they were options - I chose "No antivirus" and "No office software", and sure enough there wasn't any. And there was nothing else, either.

      Choice of OS? Check. Win 8 or 7, or no OS at all if that's your preference. They could get a bonus point by offering a Linux, but then which one?

      Proper, old fashioned, install media? Check. Vanilla Win7 DVD in the box.

      Extra little touches - how would you like your HDD partitioned for example. Just saved me a little job, cool.

      Basically they delivered the machine I wanted, ready to go, complete with reinstall media should I need it. And no crapware. Price? Reasonable for the spec I wanted. I would recommend them to anyone who's not in a huge rush (see *note...)

      *My only real problem was with the build/delivery time - what was "estimated" at the time I ordered it was 7-10 working days, and it was nearer 14. Doing my research before ordering, this was a fairly common theme, but also the only major complaint I found and I wasn't in that much of a hurry. That said when I rang them to see what was going on I spoke to a bloke in Leeds, who went to the production area, found my order, and told me what to expect. That works for me.

      Reading this back it sounds like an ad. It's not, I'm just a satisfied customer. Whether the model of basically making decent machines for a sensible price, without installing crap, is sustainable we'll see I guess...

      1. Tom 13

        Re: It's not, I'm just a satisfied customer.

        That's actually the absolute BEST ad a company can have.

        Many CEOs would be well served to remember that.

        I've worked in IT repair for more than 15 years now. I'm not a sales guy, but I sold a fair bit of kit in my day. I could sell it because it was always an honest technical solution to the problem, not what I was pushing that day because of a SPIF.

  11. x 7 Silver badge

    more from Forbes

    first from that earlier link

    "As security expert Matt Suiche pointed out to me on Twitter, the password used to get the encryption key for the Superfish certificate authority (you can find more details on that in my previous article here) is “Komodia”. There’s a company called Komodia, which also does ad injection and “global proxy interception” – some very aggressive techniques. According to the company’s website (which is currently down because of an attack on the site), the founder, Barak Weichselbaum, was also part of the surveillance industrial complex in Israel, having carried out “military service as a programmer in the IDF’s Intelligence Core”. Komodia offers one service called SSL Digestor that carries out ad injects and effectively breaks encryption, just as Superfish was doing on Lenovo PCs.Suiche and Robert Graham of Errata Security are convinced that product was used by Superfish in the Lenovo case.

    So ex-surveillance agents, operating in both the private and public spheres, have ostensibly combined their powers to force ads onto people’s computers, leaving web users open to other forms of attack. That’s startling and frightening for anyone who cares about privacy or security."

    and from http://www.forbes.com/sites/thomasbrewster/2015/02/20/komodia-lenovo-superfish-ddos/

    "It’s becoming apparent that the Lenovo Superfish omnishambles affects far more people than initially thought. Whilst it’s likely millions of PCs have Superfish running on their systems, intercepting their traffic, throwing adware on their computers and leaving users in danger of being hacked, many more will be running the technology believed to underpin the Superfish ad injection service.

    The company behind that highly intrusive technology, known as SSL Digestor, is called Komodia. But anyone who wants to learn more about what it does won’t find out anything by visiting komodia.com today (which, ironically, doesn’t run over encrypted HTTPS connections). That’s because those visiting the site will find a brief, startling claim: it’s been hit with a Distributed Denial of Service (DDoS) attack due to “recent media attention”.

    What’s confusing here is that DDoS attacks usually swamp a server with traffic and take it offline, making the site completely inaccessible. But it’s still possible to reach komodia.com. Is the company simply claiming DDoS and hiding? That’s unlikely. Darren Anstee, from DDoS expert Arbor Networks, said that sometimes, when sites are under attack, the organisations running them move to using a more simplified page to reduce the load on the server. This might see a site’s graphic content removed or reduced.

    In a brief email conversation with Barak Weichselbaum, Komodia’s founder who was once a programmer in Israel’s IDF’s Intelligence Core, he said the company was not hiding behind DDoS claims and that the attack was real. “We had to decide if we focus on it, or on other things, we are busy as you can imagine. I saw on forums people say we’re hiding, the site can be seen from the internet archive, so no point trying to hide anything. Regarding the Lenovo Superfish story I’m unable to comment because of contractual reasons,” he told Forbes.

    He said the DDoS saw reams of requests hit the HTTP server, which made the PHP backend code processes “consume all the CPU”. “The static page doesn’t consume CPU with the level of this attack.” He hadn’t responded to further questions on the security implications of his technology.

    "Why is Komodia now getting so much attention anyway? Because its hugely intrusive and poorly protected technology is found in many places on the web, according to Marc Rogers, principal security researcher at content delivery network CloudFlare. The technology can be found in various parental control software, including those made by Qustodio and the Israeli firm’s own “Keep My Family Secure” product, and in web filter products across the world. On Weichselbaum’s LinkedIn page, he says: “My biggest vision is to create a world where children can surf the internet safely, and I’m working to see this vision realized.”

    Worryingly, it’s very easy to extract and use the encryption key run by Komodia, largely because the password to access all different versions of the certificate is “komodia”. That means malicious hackers can craft their own SSL certificates, which are supposed to guarantee trust, with the Komodia key. They can then intercept people’s internet connections, create fake versions of certain websites and steal their data, as long as targets’ computers trust the Komodia certificates.

    “This means that those dodgy certificates aren’t limited to Lenovo laptops sold over a specific date range. It means that anyone who has come into contact with a Komodia product, or who has had some sort of Parental Control software installed on their computer should probably check to see if they are affected,” said Rogers.

    “This problem is much bigger than we thought it was.”

  12. x 7 Silver badge

    cert advisory re Komodia

    cert advisory re Komodia is at http://www.kb.cert.org/vuls/id/529496

    Also lists the following products as affected

    Atom Security, Inc

    Infoweise

    KeepMyFamilySecure

    Komodia

    Kurupira

    Lavasoft

    Lenovo

    Qustodio

    Superfish

    Websecure Ltd

    may well be others

    this guy managed to get shots of the Komodia website before it went offline

    http://borncity.com/win/2015/02/20/komodia-ssl-certificates-and-hijacking-tech-are-widely-spread/

    you can see from there how it works

    1. Solmyr ibn Wali Barad

      Re: cert advisory re Komodia

      Lavasoft? Holy crap.

      Alas, seems to be true. Besides their usual ad-removal tools they have this Web Companion thingamabob, where Komodia served as an SSL analysis tool. Neat. And as a cherry on the pie, there's a fuss with Comodo certs too.

      arstechnica.com/security/2015/02/security-software-found-using-superfish-style-code-as-attacks-get-simpler/

      Lavasoft has said that they have removed Komodia. Not sure what'll happen with Comodo.

      1. Roland6 Silver badge

        Re: cert advisory re Komodia

        This blog: https://gist.github.com/Wack0/17c56b77a90073be81d3 lists a few more parential control users of Komodia...

        What is notable at the moment is that no similar self-signed CA certificates have been discovered. However, because closing the door on self-signed certificates, is going to be practically impossible, we can expect this attack vector to be used in the future...

        1. Solmyr ibn Wali Barad
          Trollface

          Re: cert advisory re Komodia

          Thanks for the link. Especially loved the mention of ring0 rootkits.

          Now that is a worthy question, the most fundamental problem of modern IT - whose rootkit do you trust, in order to keep others out? Because not having a rootkit doesn't seem to be a valid option anymore. Most security products are using shady techniques, more like 50 shades, to give us a false and perverted sense of security.

          Fuckyouverymuch, purveyors of "safe computing experience". I'm going to build myself a stone abacus. Root THAT, suckers. We'll see how well you can handle a chisel.

          /rant off/

          1. Roland6 Silver badge

            Re: cert advisory re Komodia: Maxthon

            What I'm a little surprised about is how quiet the Maxthon crowd are: their browser fails both of the Superfish certificate tests, potentially due poor design...

  13. gnasher729 Silver badge

    Total destruction of security

    Someone will surely correct me if I got this wrong:

    If I ordered some stuff from Amazon using a Lenovo computer, entered my credit card number on their super secure https site, then this "Superfish" company would have been capable of reading my credit card number, even without the vulnerability?

    And with the vulnerability, if I ordered some stuff from Amazon using a Lenovo computer, entered my credit card number on their super secure https site, then any hacker could redirect the traffic to their site instead of Amazon, and produce a faked certificate that the Lenovo computer would accept without hesitation, with no indication to the user what is going on?

    That is absolutely unbelievable.

    1. Anonymous Coward
      Anonymous Coward

      Re: Total destruction of security

      "Someone will surely correct me if I got this wrong:"

      You are not being paranoid enough. Its not limited to Lenovo computers. Anyone using *any* of the affected products from Komodia is vulnerable.

      "That is absolutely unbelievable."

      If only.

      1. Nigel 11

        Re: Total destruction of security

        You are not being paranoid enough.

        Add, anyone using technology licensed from Komodia, openly or covertly.

        Add, anyone using the same technique, without having licensed it from Komodia, and without having disclosed what they are actually up to.

        The real lesson is that SSL is really, truly, deeply flawed, and that it's a case of "broken by design" rather than "broken by accident".

        1. Roland6 Silver badge

          Re: Total destruction of security

          @Nigel 11 - would of up voted, but you final sentence about SSL indicated that you don't understand that this isn't an SSL issue, it is a certificate handing and trust issue, which undermines much of the PKI security we've taken for granted.

  14. Innocent-Bystander*

    Dell Provides Clean USB Recovery Media (On Request)

    Although my (really good) experience was with Dell's premium support; when my optical drive-less Inspiron 7000 series laptop needed a new install (I threw out the spinner and installed an SSD in it), I just rang up their support line and they sent me:

    - A clean copy of Windows 8.1 OEM on a USB Key

    - a DVD with all the drivers

    - an external DVD combo drive

    All free, I didn't even have to pay shipping.

    So it's possible to get a clean copy of Windows, at least from Dell, I suspect other manufacturers will do it as well if you ask.

    1. Anonymous Coward
      Anonymous Coward

      Re: Dell Provides Clean USB Recovery Media (On Request)

      Wish I had known that earlier.

      Lenovo UK seem to be losing the plot.

      I ordered a laptop a few months back for a user. They started to get annoying MS 'this is not genuine windows' messages. I called up the hotline. The message I got was you have to upgrade this to Win 8 - it will then pick up the licence key and then you can downgrade back to win 7.

      To avoid disrupting the user I ordered another laptop, called the support line and was told yes I had to do the same thing for this laptop. So I did - without any success. 3 different support people told me 3 different things ( one was actually quite rude). The problem lay with the Win 8 licence it seemed. I called Microsoft - no luck they told be to get back to the reseller - which I did.

      They then got Lenovo to ship me some Win 7 Pro disks. I've been waiting over 2 weeks for this. Several calls and emails to both reseller and Lenovo were not fruitful. The sales folks at Lenovo have not returned my calls.

      2 MONTHS after I ordered the 2nd laptop I have ended up with 2 unvalidated laptops.

      I have now called another supplier and ordered a Dell laptop instead. The plan is to get this working and then send the 2 Lenovos back.

      We are now going to shift to either HP or Dell.

  15. Anonymous Coward
    Anonymous Coward

    Am I the only one…

    … who reads "Kommodia" and can't help but recognise how similar the name sounds to "Commode"?

    1. Nigel 11

      Re: Am I the only one…

      Or Comedia (Comedy, Farce)

      Or Komodo (Dragon, big lizard with lethally septic teeth, that bites you and then waits for you to rot to death).

      1. Anonymous Coward
        Anonymous Coward

        Re: Am I the only one…

        Yes well, I was thinking along the lines that both Commodes and the people who think dodgy root CA certs are a good idea, are both full of crap.

    2. fajensen Silver badge

      Re: Am I the only one…

      Or Chlamydia - which is sort-of what it is.

  16. moiety

    There seems to be a lot of ex-spooks suddenly turning up in this story.

  17. x 7 Silver badge

    "ex" -spooks???????

    once a spook always a spook

  18. pacmantoo

    Will MS go down the Apple road?

    ..of only allowing reinstallation of the OS from the cloud? That way they can make a 'clean' <ahem> image available to all who have an activated legit OS installed. Big draw back: they pay for the hosting infrastructure and if your line in the boondocks is too slow you'll never get the image (Oh yeah, trying reinstalling OS X over the web on less than 2Mbps and see you connection disappear into a black hole somewhere in the US)

    Why stop there? When your data is on One Drive and your use Office online (or whatever it is called this week) all you need is a browser. Oh yes, that's the Surface / Windease phone isn't it?

    1. Tom 13

      Re: Will MS go down the Apple road?

      No, because MS have to offer OEMs a way to differentiate themselves. When I first entered the IT repair arena I worked for a small screwdriver shop. We never had more than 10 employees, but we were incorporate and had a brand name. We were a licensed MS OEM vendor. One of the things MS allowed us to do was embed our company information on the System Information screen, including a bit-mapped image if we were inclined to create one. So this is embedded in their DNA. Changing it is on the order of mutating a blue whale into a toadstool.

      What will happen is that vendors who hawk sufficiently onerous crapware will go out of business while those that don't survive. If any of them actually pre-package decent stuff they could actually thrive.

  19. Nicholas Nada

    ...

    This isn't even my final Phorm.

  20. Joe Harrison Silver badge

    Avast anti-virus

    Avast also does something like this to intercept your SSL traffic. I uninstalled it after I found out but I had previously been running it for quite a long time, and I am the sort of person who quite often does actually check certificates when connecting to SSL sites. I didn't investigate how Avast avoids certificate errors it but if you are a user you might want to look carefully at your config.

    1. Roland6 Silver badge

      Re: Avast anti-virus

      If you run any security software that does any meaningful packet inspection, it is doing something similar to what SuperFish/Komodia are doing with respect to certificate handling. However, the big difference (we hope and assume) is that instead of using the same static password and certificate in all installs they create an installation specific password and certificate.

      So whilst my security software can perform a MITM attack on me, because it uses a password and certificate that is unique to my system, it is very difficult for a third-party to piggyback on to my security software's 'trusted' intercept.

      I suspect this (the use of MITM services for security purposes) is one of the reasons why many may have not looked too closely at the Superfish/Komodia implementation and hence missed the simple duplication of a static certificate. Also who would look closely at software produced by companies lead by individuals with strong security backgrounds for security flaws? and would their senior management believe them if they had found a flaw?

      1. fajensen Silver badge

        Re: Avast anti-virus

        ... they create an installation specific password and certificate ...

        But of course they do ... If they use a cryptographic process to create the certificate, it can become both an unique "Endpoint ID" and a secret Backdoor for the TLA's - OTOH the "Superfish" approach, while crude and carrying collateral damage, does have full deniability built in (but we are talking about people who authorise "signature strikes" and "double taps" so we know "they" don't give a crap about that).

        I dumped Avast because I felt it was just a little too slick a package for a product that nobody (except pensioners like my mum) will ever pay for and because it vigorously inserts its slimy tentacles into just about every orifice in the system it is installed on - even NNTP is proxied. It just smelled a bit like NSA was *the* paying customer. So, now we only use "Microsoft Security Essentials" and "restore points"

        I think it will be discovered that A/V software is indeed the main gateway for breaking endpoint security, it is just so damn convenient - a root-kit installed and cared for by the users. Who can resists?

        The Superfish/Komodia people are just helping the cause of their former colleagues, while making a buck on the side with crapware, probably using methods that were originally developed by the TLA's. When that business dry up, they will go right back to "security", while a new crop of rats with better tools replace them; The HDD hacks will be in due time be "commercialised" and used to create un-killable crapware.

  21. x 7 Silver badge

    "I didn't investigate how Avast avoids certificate"

    that explains how a few months back IE9/10 crashed if a Google Search was carried out with Avast's web protection plugin enabled

    its been fixed now but it caused a lot of problems at the time and Avast totally refused to publicly acknowledge the problem

  22. Mike Shepherd

    We moved swiftly and decisively...

    ...as soon as we were found out.

    1. Zog_but_not_the_first Silver badge
      Devil

      Re: We moved swiftly and decisively...

      The reaction of politicians and crims the world over.

  23. Anonymous Coward
    Anonymous Coward

    Head - meet sand

    "However, we did not know about this potential security vulnerability until yesterday"

    Well it seems a lot of other people did, so it doesn't say great things about their competence that they managed to miss it. Too busy finding a nice sandbox to stick their head in perhaps.

    On the bright side, with this kind of performance a block allocation of coveted spots on the Golgafrincham B-Ark would be assured, right next to the telephone sanitisers.

  24. cortland

    Back door? Nah.

    To copy a Chinese euphemism, it sounds more like more like "back orifice". At a local Best Buy (tm) store the contract fixer-uppers (The Geek Squad --also tm) is going through Lenovo's removing (one hopes) the exploit. Good luck.

  25. scratchpad

    Lenovo All-in-Ones

    I suspect this problem affects All-in-Ones as well as Lenovo Laptops. I have some evidence that the problem may have been around since at least October 2014. Can anyone confirm this please ?

    1. Roland6 Silver badge

      Re: Lenovo All-in-Ones

      This article has a list of the models that had superfish installed: http://arstechnica.com/security/2015/02/lenovo-pcs-ship-with-man-in-the-middle-adware-that-breaks-https-connections/

      Seems they are all consumer ranges - but then I only buy the M, T and W series.

      However, from the comments being made across the web, it seems that Lenovo , as the first to fall foul of a security vulnerability introduced by a third-party bundled app., have unsettled some business purchaser's. A warning that other's (eg. Dell, HP etc.) should take note of...

      1. Roland6 Silver badge

        Re: Lenovo All-in-Ones

        This advisory from Lenovo provides an (official?) listing of notebook ranges and models: http://support.lenovo.com/us/en/product_security/superfish

        It seems to be the source of the ARS list.

  26. Bob AMG
    Thumb Up

    They have put their hands up and apologised and promised to lean from this mistake. I for one will support honest mistakes and pat them on the back for owning up. Lets support them on the grounds they don't do it again.

    1. Anonymous Coward
      Anonymous Coward

      Well,

      Lenovo didn't have much choice, after all the negative publicity. Plus the initial handling of the incident by their CTO was appalling. Someone needs remedial PR lessons, badly

      Personally, I hope Komodio, Superfish and its ilk all get it in the neck. AV Vendors and browsers should start flagging fake certs and interception as a Very Bad Security Risk. Unfortunately, you could say the same about SSL in general. It has been broken and vulnerable to exploitation for a long time as elegantly demonstrated by moxie marlinspike.

      However, knowing about a vulnerability and actively exploiting it for commercial gain is a line too far for me. It falls somewhere around selling counterfeit viagra while hosting spam servers and borders on black hat, large-scale cyber-villainy. Maybe all this attention will make them look for a new line of business.

      As for Lenovo, always liked the Thinkpad, still have three, but I would think very long and hard before I would buy another. Sorry guys, maybe you should start marketing PCs without crapware and see if it catches on.

    2. John Sturdy
      FAIL

      This wasn't a "mistake"; it was as deliberate as you can get, and they should be made an example of.

      As for them not doing it again: at best, it's a matter of them not being able to get away with doing it again. A burglar who is not currently burgling just because he got caught and is in jail is not the same as an honest character.

      Unfortunately, even that's optimistic: I expect they'll try again as soon as they can. I hope that enterprise buyers will also avoid their enterprise equipment; after all, who knows what's preloaded on them, that simply hasn't been found and exposed yet?

  27. hypernovasoftware

    Windows and malware. A match made in Hell.

    1. splodge

      ITYM Windows and malware. A match made inevitable.

  28. SleepGuy

    STOP the preloads!

    I just acquired a few Lenovo AIO desktops for work and could not believe the amount of crap-ware pre-installed on them! WAY worse than HP, Dell or Asus. I did not except this from a more "premium" brand.

    Additionally the BIOS/UEFI is horrible on them. I never could get the computer to boot from USB or DVD (After I selected USB or CD on the boot menu it would instead boot to "Lenovo Recovery" instead of Acronis.) Ended up yanking the drives out to image them.

  29. x 7 Silver badge

    The ironic thing in all this is that the same Komodia software is being used both as scamware / hijack software, and as website protection software. Hows that for amazing marketing???

    We now know that the following scamware uses it

    CartCrunch Israel LTD

    WiredTools LTD

    Say Media Group LTD

    Over the Rainbow Tech

    System Alerts

    ArcadeGiant

    Objectify Media Inc

    Catalytix Web Services

    OptimizerMonitor

    While the following supposed security filters use it

    Atom Security, Inc

    Infoweise

    KeepMyFamilySecure

    Komodia

    Kurupira

    Lavasoft

    Lenovo

    Qustodio

    Superfish

    Websecure Ltd

    I've also picked up hints from elsewhere that a number of toolbar programs also use it

    Until we have a definitive list of just who else licenced the Komodia software we have to assume that ANY web-filtering security software is suspect unless otherwise proven

    1. moiety

      Lavasoft? Ad-Aware?

      1. x 7 Silver badge

        "Lavasoft? Ad-Aware?"

        Historically the Ad-Aware program was a rebranded version of Norman Antivirus, with Lavasoft generating their own malware signatures (my understanding was that the contract prevented Lavasoft offering a full AV solution)

        A few years ago Norman pulled the plug on the deal so Lavasoft had to come up with a new program quickly, this new version of Ad-Aware becoming closer to a full AV program. It wouldn't surprise me if they simply licenced off-the-shelf technology from others and bundled it all together as their in-house software expertise wasn't great. So, no surprise if the current version of Ad-Aware is compromised.

  30. splodge

    Komodia's big cheese talking about hijacking SSL. Legitimately, obviously...

    https://www.youtube.com/watch?v=hCuTRzFY9CQ

  31. Zog_but_not_the_first Silver badge
    Facepalm

    Karma?

    As began to read this article, I was served up with Levono ads in the two MASSIVE side panels that now flank El Reg's finest prose.

    1. x 7 Silver badge

      Re: Karma?

      Karma?

      No........cookies

      or hijacked........

  32. Siriuss

    what a load of bull... This apology doesn't even make sens. Superfish is a strange name for a company, because in this case I wonder who is the big fish in question...

    So now even if we don't do anything wrong on the internet we always have to look over our shoulders to check how many blood suckers are following us and try to see what we're doing. Some websites have over 24 trackers and enough cookies to feed an army.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019