Lavasoft And Comodo Allegedly Employing Vulnerable 'Superfish' Style Code
It hasn't even been a full week since we first learned of 'Superfish', and yet it's already beginning to feel like it's a subject that just won't die. But that's for good reason, though, as its effects are wider-reaching than we originally realized.
In case you've been sleeping since this debacle began, let's catch you up. It all started when Lenovo was caught installing an ad-injector on shipping PCs called Superfish. It was quickly discovered that ad-injection was just a minor annoyance: what made it dangerous is that it utilized a self-signed security certificate that negated the protections provided by SSL. A day later, Lenovo issued an apology and instructions for uninstalling Superfish, and on Saturday, it followed-up with an automatic tool for taking care of the chore.
As the weekend progressed, it became clear that Lenovo wasn't the only guilty party here, and that this vulnerability's reach was far greater.
The massive security hole that was opened through Superfish was the result of the software's adoption of an engine from Komodia; one that allows interception of secure traffic. This by design isn't a bad thing per se; it can aide security scanners by letting them intercept potentially malicious traffic from secure websites. The problem, though, stems from the fact that all Komodia installs used the same encryption keys for its certificates, which were easily extracted.
It gets better: the password for the certificates is 'komodia'. I think Komodia needs to make an effort to read HotHardware a lot more.
Nonetheless, on Sunday, popular anti-malware software provider Lavasoft admitted that one of its tools, called Ad-Aware Web Companion, made use of Komodia's software (or 'SDK') as well. Interestingly, the company says that it's been investigating its use of Komodia's engine since last month, and even before this Lenovo news broke, it decided to remove the component from its software. Unfortunately, it wasn't removed in advance of this debacle, but Lavasoft says that all of its installers will be updated by today.
And as if that wasn't bad enough, Comodo, a company that provides about 1/3rd of the planet's SSL certificates, has also become part of this mess - kind of. It's actually software called PrivDog, which is the creation of Comodo CEO Melih Abdulhayoglu, that's at fault here. It doesn't use Komodia, but it does expose its users to the exact same sort of man-in-the-middle attacks that Lavasoft's software and Superfish did.
When will this end? Probably not soon. I think I'm safe in saying, "stay tuned for more".