The Superfish adware bundled with some Lenovo laptops creates a security risk, warns the US Department of Homeland Security
The US Government has advised the public to remove Superfish, an advertising program pre-installed on some Lenovo laptops, saying it introduces a security vulnerability.
Meanwhile, Facebook security researchers said they have discovered more than two dozen “suspicious” programs that use the same insecure library found in Superfish. Microsoft on Friday released an update for Windows Defender that removes Superfish.
The US Department of Homeland Security on Friday issued an alert saying that the software makes computers vulnerable to SSL spoofing, a type of man-in-the-middle (MITM) attack, which allows an attacker to imitate a trusted Internet source such as a website.
“Systems that came with the software already installed will continue to be vulnerable until corrective actions have been taken,” the department stated.
Lenovo began to bundle Superfish ad software with some of its laptops in September of last year, using it to alter users’ search results, and said it removed the software from its products in January due to user complaints over the intrusiveness of the tool.
However, last week it was disclosed that the software involved includes a library from Israel-based Komodia to modify the Windows networking stack in order to intercept users’ Internet communications, including those protected by Secure Sockets Layer (SSL) encryption.
The Komodia library uses an interception technique that is inherently insecure, according to security researchers – the installation of a new root Certificate Authority (CA) that is the same across all systems – in part because that CA could potentially be obtained and used by an attacker.
“By reusing the same certificate, a bad actor could potentially obtain that CA file and perform ‘man-in-the-middle’ attacks on untrusted networks like public Wi-Fi, set up authentic-looking phishing pages, or sign software that makes people vulnerable to other malicious code as they browse the Internet,” wrote Matt Richard, a Threats Researcher on the Facebook Security Team, in an advisory. “In this case, the certificate used by the Superfish software is relatively easy to extract.”
Richard said Facebook has found more than two dozen applications using the Komodia library in question, many of which appear to be “suspicious” adware. The company also found programs categorised as malware, including a program identified by Symantec as Trojan.Nurjax, that use the same Komodia library.
Superfish was founded in Israel in 2006 by co-founders Adi Pinhas, whose background is in computer surveillance, and Michael Chertkof, a data-mining specialist, and is now based in Palo Alto, California. The company said the vulnerability was introduced “inadvertently” by Komodia.
Komodia’s website describes its technology as a “hijacker” that allows “easy access to the data and the ability to modify, redirect, block, and record the data without triggering the target browser’s certification warning”.
Lenovo apologised for the “concerns” caused by its use of the software and said it is releasing a tool to automatically remove Superfish.
“We did not know about this potential security vulnerability,” Lenovo said in a statement. “We recognize that this was our miss, and we will do better in the future. Now we are focused on fixing it.”
Lenovo said the software was installed only on “select” computers, but didn’t estimate the number of systems affected. The systems include laptops in the Yoga, Flex and MiiX lines and the E, G, U, Y and Z series.
In 2013 it was revealed that Lenovo computers were allegedly banned from use by the British government. The ban was brought into place in the mid-2000s following lab testing which found back doors and security flaws in Lenovo hardware.
Lenovo PCs and laptops have also been banned from use in the defense sectors of Australia, Canada, the United States, and New Zealand.