CATEGORIES
home News

Lavasoft And Comodo Allegedly Employing Vulnerable 'Superfish' Style Code

by Rob WilliamsMonday, February 23, 2015, 11:38 AM EDT

It hasn't even been a full week since we first learned of 'Superfish', and yet it's already beginning to feel like it's a subject that just won't die. But that's for good reason, though, as its effects are wider-reaching than we originally realized.

In case you've been sleeping since this debacle began, let's catch you up. It all started when Lenovo was caught installing an ad-injector on shipping PCs called Superfish. It was quickly discovered that ad-injection was just a minor annoyance: what made it dangerous is that it utilized a self-signed security certificate that negated the protections provided by SSL. A day later, Lenovo issued an apology and instructions for uninstalling Superfish, and on Saturday, it followed-up with an automatic tool for taking care of the chore.

Lenovo Z Notebook

As the weekend progressed, it became clear that Lenovo wasn't the only guilty party here, and that this vulnerability's reach was far greater.

The massive security hole that was opened through Superfish was the result of the software's adoption of an engine from Komodia; one that allows interception of secure traffic. This by design isn't a bad thing per se; it can aide security scanners by letting them intercept potentially malicious traffic from secure websites. The problem, though, stems from the fact that all Komodia installs used the same encryption keys for its certificates, which were easily extracted.

It gets better: the password for the certificates is 'komodia'. I think Komodia needs to make an effort to read HotHardware a lot more.

Lavasoft Adaware Web Companion

Nonetheless, on Sunday, popular anti-malware software provider Lavasoft admitted that one of its tools, called Ad-Aware Web Companion, made use of Komodia's software (or 'SDK') as well. Interestingly, the company says that it's been investigating its use of Komodia's engine since last month, and even before this Lenovo news broke, it decided to remove the component from its software. Unfortunately, it wasn't removed in advance of this debacle, but Lavasoft says that all of its installers will be updated by today.

And as if that wasn't bad enough, Comodo, a company that provides about 1/3rd of the planet's SSL certificates, has also become part of this mess - kind of. It's actually software called PrivDog, which is the creation of Comodo CEO Melih Abdulhayoglu, that's at fault here. It doesn't use Komodia, but it does expose its users to the exact same sort of man-in-the-middle attacks that Lavasoft's software and Superfish did.

When will this end? Probably not soon. I think I'm safe in saying, "stay tuned for more".

Tags:  Lenovo, superfish
TOP CONVERSATIONS
Your Next PC Platform?
More Results
KEEP INFORMED
SITE

Home

Reviews

News

Blogs

Full Site

Sitemap

CATEGORIES

PC Components

Systems

Mobile

IT Infrastructure

Leisure

Videos

COMPANY

About

Advertise

News Tips

Contact

Privacy And Terms

HotTech

MORE

Accessibility

Shop

STAY CONNECTED

Twitter

Facebook

YouTube

RSS

As an Amazon and Howl Technologies Associate, HotHardware earns a commission from qualifying purchases made on this site. This site is intended for informational and entertainment purposes only. The contents are the views and opinion of the author and/or his associates. All products and trademarks are the property of their respective owners. Reproduction in whole or in part, in any form or medium, without express written permission of Hot Hardware, Inc. is prohibited. All content and graphical elements are Copyright © 1999 - 2024 David Altavilla and Hot Hardware, Inc.
All rights reserved. Privacy and Terms - Accessibility Commitment