Friday, March 29, 2024

How could Lenovo miss its Superfish security hole?

Share

Great white shark swimming by man on raft wearing shirt and tie

Until mid-day yesterday Lenovo thought the biggest problem with Superfish VisualDiscovery was the annoying ads it caused to pop up on customers’ laptops. SuperFish was supposed to analyze images on the web and “help” consumers find similar products, but the information security world was learning that it (apparently unintentionally) does quite a bit more.Facebook engineer Mike Shaver tweeted Wednesday night about how the preloaded adware performs a man-in-the-middle (MITM) attack on supposedly secure connections, and by Thursday morning security researcher Rob Graham showed how it could be used to spy on the encrypted communications of anyone running the software. At that point, Levono CTO Peter Hortensius still referred to resulting security problems as “thoretical” but moves today from Microsoft and the US government — and his comments in an interview with Engadget — show that they’ve realized the threat is very real.

Now, Lenovo admits to the gravity of the problem (even if the company behind Superfish does not, as shown by a spokesperson’s comments to Ars Technica) and is working with others in the industry to fix it. Still, the question remains — how did a security hole this problematic get there in the first place? As Hortensius told me, that’s the question he and his team will be trying to answer over the next week or so.

How to make Superfish go away

The first priority is making sure that Superfish disappears and the security hole is closed, and there’s several ways to make sure your PC is secured. Browser test pages (Filippo.io, LastPass) can tell you if you’re affected and give tips on removal. Lenovo has its own list of uninstallation instructions, and as of today Microsoft’s Windows Defender scanner has been updated to remove Superfish and its security certificate. You can expect for other scanners to get a similar update soon, and of course Lenovo is working on an uninstall program of its own that could be available later today.

Why is Superfish such a big problem?

Superfish’s security problems are worsened by practices researchers have uncovered over the last day or so: not only is its security certificate easily extracted, as Rob Graham discovered, it uses the same one on every computer. It appears that Superfish (and others) used technology from a company called Komodia to pull off its hamfisted intervention, and all of them are equally vulnerable. Even worse, beyond the initially discovered MITM vulnerability and weak encryption, the Komodia package can be easily tricked into accepting any certificate as valid. According to CloudFlare security team member Filippo Valsorda, that means it’s easy to intercept encrypted traffic from anyone with Komodia-powered software on their system.

What is Lenovo doing about it

While we wait to find out the next way this will get worse, Lenovo says it is taking steps to turn things around. Of course, as security researcher Kenn White asked, after the company ignored respected security researchers “activating the Batsignal”, restoring its public trust will be tricky. The software appeared on computers beginning in September, and posters on Lenovo support forums were asking questions that should’ve raised alarms for months.

According to Hortensius, Lenovo does security checks for software that it preloads, but apparently Superfish bypassed those even with this glaring security hole. He says “If we knew then what we know now, we’d never have shipped this”, and that security practices, even the ones the company will institute going forward can never be 100 percent. He says that information with real substance is coming, that will detail how Lenovo plans to avoid getting caught out like this again, which will be key. Patching the software is relatively simple — filling in this hole in the company’s reputation may not be so easy.

[Image credit: (shark) Martin Barraud, (Windows Defender scan) Filippo Valsorda]

Filed under: Desktops, Laptops, Internet, Lenovo

Comments

Read more

More News