This article is more than 1 year old
Mozilla mulls Superfish torpedo
Green-lighted blacklist of compromised certs could be ready in a day
Firefox-maker Mozilla may neuter the likes of Superfish by blacklisting dangerous root certificates revealed less than a week ago to be used in Lenovo laptops.
The move will be another blow against Superfish, which is under a sustained barrage of criticism for its use of a root certificate to launch man-in-the-middle attacks against innocent users in order to inject advertising into web searches.
That crude tactic meant Lenovo machines running the program could be trivially attacked by hackers who set up fake banking websites using the certificate to shore-up legitimacy.
Mozilla has not yet pulled the blacklist trigger but is mulling options, cryptographic engineering manager Richard Barnes told El Reg.
"It is one of our core principles that individuals' security and privacy on the internet are fundamental and must not be treated as optional,” Barnes says.
“We are still investigating this situation to confirm to what extent Firefox users are affected.
“Once we make the decision to block the certificate, we should be able to block it within about 24 hours."
Lenovo has issued a tool to mop up Superfish, issuing a statement that it ordered the software preloads to stop and cut server connections.
“Since that time we have moved as swiftly and decisively as we can based on what we now know. While this issue in no way impacts our ThinkPads; any tablets, desktops or smartphones; or any enterprise server or storage device, we recognise that all Lenovo customers need to be informed,” it said.
CloudFlare security bod Filippo Valsorda said machines with software that employed the Komodia proxy used by Superfish could be targeted by attackers without the need to use a since public extracted private key. Self-signed SSL certificates are converted into valid ones, we're told.
"All the users out there with Komodia-powered Parental Control software or adware [can] have their banking connections easily intercepted. Well, good job," Valsorda says.
"It's catastrophic. It's the only way all this mess could have been even worse."
Many affected users could be reasonably expected to have heads firmly planted in the sand about how their laptops were ripe for super phishing and therefore be unlikely to download the erasure tool.
For its part Mozilla, like the rest of the security community, did not take kindly to news of Superfish's spawning run. Barnes said in a thread that Superfish should be marked untrusted in the Mozilla Network Security Services libraries such a move would have some merit.
“At the very least, blacklisting can increase the work that the attackers have to do, and make them take action specifically against NSS/Firefox, versus against operating systems,” he wrote.
“OneCRL gives us a mechanism to block this above the NSS layer, so even if they're already flipping bits in NSS, we can block them a layer up and make them meet us there.”
That ire comes as Microsoft joined an increasing list of anti-virus companies willing to blast the application and its certificate to smithereens. Microsoft told El Reg its Windows Defender antivirus software now "detects and removes the Superfish software from Lenovo devices" and will, sources say, kill the root certificate.
The number of anti-virus platforms that killed the Superfish executable VisualDiscovery.exe has doubled since news broke, according to imperfect statistics by VirusTotal. Vulture South has counted 10 (mainly small) antivirus platforms that brand the adware as either a potentially unwanted program or an outright trojan, a figure that as of the time of writing now totals 24 with bigger names joining the fray.
The US Computer Emergency Response Team urged victims customers to remove the application.
"Lenovo consumer personal computers employing the pre-installed Superfish Visual Discovery software contain a critical vulnerability through a compromised root CA certificate," US-CERT said last Friday.
"Exploitation of this vulnerability could allow a remote attacker to read all encrypted web browser traffic (HTTPS), successfully impersonate (spoof) any website, or perform other attacks on the affected system." ®