+Updates The US government's Computer Emergency Readiness Team (US-CERT) has said the Superfish ad-injecting malware installed by Lenovo on its new laptops is a "critical" threat to security.
Chinese PC peddler Lenovo bundled the software nasty to make a fast buck from its cheap, low-margin hardware: the application hijacks web browsers to inject ads into pages, even HTTPS encrypted websites, using an egregious root CA certificate.
"Lenovo consumer personal computers employing the pre-installed Superfish Visual Discovery software contain a critical vulnerability through a compromised root CA certificate," US-CERT said on Friday, urging people to remove the adware.
"Exploitation of this vulnerability could allow a remote attacker to read all encrypted web browser traffic (HTTPS), successfully impersonate (spoof) any website, or perform other attacks on the affected system."
In a detailed rundown – including instructions on how to remove the badware – the Homeland Security team said select Lenovo Windows laptops built since September 2014* harbor Superfish VisualDiscovery. Lenope stopped bundling the software in January 2015.
The malware installs its own root CA certificate so it can silently intercept and decrypt HTTPS connections, allowing it to tamper with pages – namely, injecting ads to stuff to buy online.
For example, if you visit bankofamerica.com on an affected laptop, your web browser is hijacked to connect through Superfish's software, but the user is none the wiser. The Superfish root CA certificate convinces the browser that everything is OK.
The private key for this certificate is hardcoded into VisualDiscovery's executable, and easily extractable. This means anyone can use it to create spoof websites that will be trusted by vulnerable laptops, allowing miscreants to pull off man-in-the-middle attacks and steal login passwords.
In other words, your connection to, say, gmail.com on a Lenovo laptop may look legit with a little padlock in the top corner of the window, but in reality the website could be malicious and masquerading as the real site so it can learn your login details.
The CERT advisory says Superfish uses Komodia's Redirector with SSL Digestor to intercept web connections. It points out that the same code is also used in free parental control software dubbed KeepMyFamilySecure (the irony), and it is not exclusive to Lenovo products. Other apps and products are bundling the adware.
Superfish, founded in 2006, is a small company based in Palo Alto, California, and has reportedly received about $20m in funding since 2009. Journalist Thomas Fox-Brewster has more on the background of Superfish and Komodia, here.
Microsoft agrees that this whole mess is bad news for users. On Friday the Redmond giant told El Reg its antivirus software Windows Defender now "detects and removes the Superfish software from Lenovo devices."
And sources familiar with the matter told us Microsoft's tool not only removes the Superfish software, but also the rather cheeky root certificate.
'Despite the false and misleading statements...'
Superfish insists computer users have nothing to worry about, and contradicts the US government's assertion that this is a major problem.
"Despite the false and misleading statements made by some media commentators and bloggers, the Superfish code does not present a security risk," its CEO Adi Pinhas told El Reg in a statement, adding that the company doesn't store or share personal data.
"Unfortunately, in this situation a vulnerability was introduced unintentionally by a third party. Both Lenovo and Superfish did extensive testing of the solution but this issue wasn't identified before some laptops shipped," he explained.
"Fortunately, our partnership with Lenovo was limited in scale. We were able to address the issue quickly. We learned about the potential threat yesterday and since then we have been working with Lenovo and Microsoft to create an industry patch to resolve the threat."
There's no word from Lenovo on the US government's Superfish alert. On Thursday the PC maker's CTO Peter Hortensius said his firm isn't "trying to get into an argument with the security guys," and insisted the code was safe to use. ®
Updated at 1407 Pacific Time (2207 UTC)
It's claimed the Komodia proxy server used by the Superfish adware is worse than previously thought: any man-in-the-middle attacker can create a spoof HTTPS website that is trusted by laptops with the Superfish root CA certificate installed, without having to use the extracted private key. Self-signed SSL certificates are converted into valid ones, we're told.
"All the users out there with Komodia-powered Parental Control software or adware [can] have their banking connections easily intercepted. Well, good job," says CloudFlare security bod Filippo Valsorda.
"It's catastrophic. It's the only way all this mess could have been even worse."
Updated at 1515 Pacific Time (2315 UTC)
* US-CERT initially said Lenovo was bundling Superfish's software since 2010, although has since corrected that to September 2014 after Lenovo complained. In a statement to El Reg, the computer giant said:
The 2010 date is not accurate. Lenovo has stated it preloaded this particular piece of software from Superfish starting in September 2014. Superfish has been around for years and its products have been available for download from sources other than Lenovo.