PrivDog Flaw ‘Worse Than Superfish’

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Follow on: Google +

Ad-filtering tool introduces a potential phishing flaw that may affect more than 50,000 users

Certain versions of the PrivDog ad-filtering introduce a security flaw similar to the one recently disclosed in the Superfish adware built into some Lenovo laptops, PrivDog has acknowledged.

PrivDog was developed by Melih Abdulhayogulu, the founder of Comodo, which provides the security certificates used by one-third of the world’s websites, and is distributed with some Comodo security software. However, the affected versions – 3.0.96.0 and 3.0.97.0 – have never been distributed with Comodo products, according to a company representative.

Patch issued

online securityPrivDog said the issue affects an estimated 57,568 users worldwide, and will be corrected in a patch set to be issued automatically on Tuesday.

“The potential issue has already been corrected,” PrivDog stated. “There will be an update which will automatically update all 57,568 users of these specific PrivDog versions.”

The versions of PrivDog in question include a feature that intercepts a user’s web traffic in order to scan for potentially malicious ads, replacing them with ads from trusted sources.

Man-in-the-middle

Like Superfish, the feature works by installing a self-generated root certificate, allowing it to run as a man-in-the-middle proxy. However, where Superfish created a security vulnerability by installing the same root certificate on all systems, PrivDog uses a different root certificate on each system.

The PrivDog issue is rather that it doesn’t properly validate the certificates it receives from websites, meaning it might accept a certificate that normally would trigger browser alerts. An attacker could potentially use this weakness to carry out phishing attacks, researchers said.

Simon Crosby, co-founder of security firm Bromium, said PrivDog is “substantially more scary” than Superfish, because it “turns your browser into one that accepts every HTTPS certificate out there without checking its validity”.

The US government advised companies late last week to remove Superfish. Lenovo said it is distributing a tool for removing Superfish from its laptops, while companies including Microsoft and Symantec updated their security products to block the adware.

Are you a security pro? Try our quiz!

Read also :