US CERT warns about the risk posed by the browser component

Feb 20, 2015 09:35 GMT  ·  By
This explanation of how Superfish works may be funny but it's serious business
   This explanation of how Superfish works may be funny but it's serious business

Security companies began including detection routines for the Superfish browser add-on in their products following the discovery that it relied on a self-signed root certificate to intercept encrypted traffic, thus having access to sensitive information in plain text.

The add-on, which came preloaded on multiple Lenovo laptops between September and December 2014, created a lot of buzz on the security scene this week, when researchers discovered its behavior.

Superfishy behavior

The Superfish service is designed to inject advertisements in the webpages accessed by users and to help find cheaper alternatives for the products they search online by running an image matching algorithm on more than 70,000 online stores.

To do this, it installs a transparent proxy service (man-in-the-middle) based on Komodia's “SSL Digestor” engine, which installs a self-generated root certificate in Windows store and re-signs all certificates from HTTPS sites on-the-fly. Komodia’s website is currently offline “due to DDOS with the recent media attention.”

Aside from the fact that this setup gives a third-party access to information that should be encrypted between the client and the server, the worst part is that the same RSA key was used to encrypt the certificate; someone cracking the key would be able to intercept the communication from Superfish users and peek into the secure traffic exchange.

On Thursday, Robert Graham, Errata Security CEO, managed to crack the password for the encrypted private key of the certificate. After some toil and tweaking, the security expert managed to find the password in just ten seconds.

Several antivirus products trigger alert for Superfish

Up until recently, Superfish was considered just a potentially unwanted program (PUP) as it was pushed on the users’ computers when certain free applications were installed.

Tutorials on how to remove the browser component have been available online for years, but it remained undetected by most security products.

Even in the wake of the recent revelations, detection is low (six out of 57 on VirusTotal), although security solutions have started to include the necessary routines to trigger an alert when Superfish is found.

At the moment, from the more popular stack of antivirus products, only those from Avira, Symantec and Trend Micro can issue a warning about the add-on, either based on a signature or through reputation or heuristic engines.

On Thursday, the CERT division at Carnegie Mellon University published an advisory on Komodia’s SSL Digestor, listing multiple software products from several vendors (KeepMyFamilySecure, Komodia, Kurupira, Lenovo, Qustodio and Superfish) that rely on it.

The security bulletin also informs that removing the program is not sufficient to mitigate the risk, as the root certificate also needs to be uninstalled. Microsoft offers the info on how to do this in Windows’ certificate store and so does Mozilla for its Firefox web browser and Thunderbird email client.